Properly encode usernames and room titles

2024-10-31 14:10:08 +00:00 · 2013-10-16 21:26:07 +02:00 · 2013-10-16 21:26:07 +02:00 · 0622d64e28
commit 0622d64e28
parent 92ee11daba
2 changed files with 2 additions and 3 deletions
--- a/file/js/be.bastelstu.Chat.litcoffee
+++ b/file/js/be.bastelstu.Chat.litcoffee
@ -644,7 +644,7 @@ Fetch the roomlist from the server and update it in the GUI.
 					for room in data.returnValues
 						li = $ '<li></li>'
 						li.addClass 'active' if room.active
-						$("""<a href="#{room.link}">#{room.title} <span class="badge">#{WCF.String.formatNumeric room.userCount}</span></a>""").addClass('timsChatRoom').data('roomID', room.roomID).appendTo li
+						$("""<a href="#{room.link}">#{WCF.String.escapeHTML(room.title)} <span class="badge">#{WCF.String.formatNumeric room.userCount}</span></a>""").addClass('timsChatRoom').data('roomID', room.roomID).appendTo li
 						$('#timsChatRoomList ul').append li
 					if window.history?.replaceState?
@ -742,7 +742,7 @@ Open private channel
 			if userID isnt 0
 				$('#timsChatTopic').removeClass 'hidden empty'
-				$('#timsChatTopic > .topic').text WCF.Language.get 'chat.general.privateChannelTopic', {username: userList.allTime[userID].username}
+				$('#timsChatTopic > .topic').html WCF.Language.get 'chat.general.privateChannelTopic', {username: userList.allTime[userID].username}
 				$('#timsChatTopic > .jsTopicCloser').attr 'title', WCF.Language.get 'chat.general.closePrivateChannel'
 				unless $.wcfIsset "privateChannel#{userID}"
--- a/file/lib/system/command/commands/InfoCommand.class.php
+++ b/file/lib/system/command/commands/InfoCommand.class.php
@ -15,7 +15,6 @@
 * @subpackage	system.chat.command.commands
 */
 class InfoCommand extends \chat\system\command\AbstractCommand {
 	public $enableHTML = self::SETTING_ON;	
 	public $lines = array();
 	public $user = null;