Escape HTML in user blocks

2026-04-20 14:29:52 +00:00 · 2024-03-26 04:57:19 +01:00
parent 94ba8817d2
commit 84be9a4b4f
1 changed files with 9 additions and 1 deletions
--- a/static/chat.js
+++ b/static/chat.js
@@ -20,6 +20,11 @@ function escapeHTML(html) {
        .replace(/'/g, "&#039;");
 }

+function escapeBlock(text) {
+    return text
+        .replace(/([\\`*_{}[\]()#+\-.!>])/g, '\\$1');
+}
+
 renderer.code = function(code, infostring, escaped) {
    const uniqueId = `copy-${Math.random().toString(16).slice(2)}`;
    let escapedCode = escapeHTML(code);
@@ -581,7 +586,10 @@ class ChatBlock {

        let html = "";
        if (name) html += "<div class='name' style='color: " + col + "'>" + name + "</div>"
-        html += marked.parse(text);
+        if (this.block.author == "user")
+            html += marked.parse(escapeBlock(escapeHTML(text)));
+        else
+            html += marked.parse(text);

        this.textBlock.innerHTML = html;
    }