[Libreoffice-commits] online.git: loleaflet/src
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Tue Mar 19 10:06:39 UTC 2019
loleaflet/src/control/toolbar.js | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
New commits:
commit 7176214de3177ad3ecc2f79871cca686e2683ea3
Author: Szymon Kłos <szymon.klos at collabora.com>
AuthorDate: Tue Mar 19 10:07:50 2019 +0100
Commit: Szymon Kłos <szymon.klos at collabora.com>
CommitDate: Tue Mar 19 11:05:18 2019 +0100
Escape username
In case of guest users it was possible to inject html.
Change-Id: I642de3efa0fa03cd2a8d63834605f46eacd0f464
Reviewed-on: https://gerrit.libreoffice.org/69410
Reviewed-by: Szymon Kłos <szymon.klos at collabora.com>
Tested-by: Szymon Kłos <szymon.klos at collabora.com>
(cherry picked from commit 3084565981d85d5734436c3411266c529ad5d879)
diff --git a/loleaflet/src/control/toolbar.js b/loleaflet/src/control/toolbar.js
index 7890137c8..5ef4f62f0 100644
--- a/loleaflet/src/control/toolbar.js
+++ b/loleaflet/src/control/toolbar.js
@@ -2212,11 +2212,16 @@ function updateUserListCount() {
}
}
+function escapeHtml(input) {
+ return $('<div>').text(input).html();
+}
+
function onAddView(e) {
+ var username = escapeHtml(e.username);
$('#tb_actionbar_item_userlist')
.w2overlay({
class: 'loleaflet-font',
- html: userJoinedPopupMessage.replace('%user', e.username),
+ html: userJoinedPopupMessage.replace('%user', username),
style: 'padding: 5px'
});
clearTimeout(userPopupTimeout);
@@ -2226,7 +2231,6 @@ function onAddView(e) {
userPopupTimeout = null;
}, 3000);
- var username = e.username;
var color = L.LOUtil.rgbToHex(map.getViewColor(e.viewId));
if (e.viewId === map._docLayer._viewId) {
username = _('You');
More information about the Libreoffice-commits
mailing list