one more possible xss issue

2015-09-06 01:50:20 +02:00 · 2015-09-06 01:50:20 +02:00 · 018d1d1bbb
commit 018d1d1bbb
parent 76dcc86ffc
1 changed files with 10 additions and 6 deletions
--- a/js/dom-functions.js
+++ b/js/dom-functions.js
@ -375,9 +375,11 @@ function openExternalProfileInPopup(data) {
 	var noticeHtml = '';
 	if(typeof data.status != 'undefined') {
 		data.status.user = data;
-		var $noticeHtmlObj = $('<div/>').append(buildQueetHtml(data.status));
-		$noticeHtmlObj.find('.queet-thumbs').remove();
-		var noticeHtml = $noticeHtmlObj.outerHTML();
+		if(data.status.source != 'activity' && data.status.is_activity !== true) { // no acitivy notices in preview
+			var $noticeHtmlObj = $('<div/>').append(buildQueetHtml(data.status));
+			$noticeHtmlObj.find('.queet-thumbs').remove();
+			var noticeHtml = $noticeHtmlObj.outerHTML();
+			}
 		}

 	popUpAction('popup-external-profile', data.screenNameWithServer,data.profileCard + noticeHtml,'<a class="go-to-external-profile" href="' + data.statusnet_profile_url + '">' + window.sL.goToExternalProfile + '</a>');
@ -400,9 +402,11 @@ function openLocalProfileInPopup(data) {
 	var noticeHtml = '';
 	if(typeof data.status != 'undefined') {
 		data.status.user = data;
-		var $noticeHtmlObj = $('<div/>').append(buildQueetHtml(data.status));
-		$noticeHtmlObj.find('.queet-thumbs').remove();
-		var noticeHtml = $noticeHtmlObj.outerHTML();
+		if(data.status.source != 'activity' && data.status.is_activity !== true) { // no acitivy notices in preview
+			var $noticeHtmlObj = $('<div/>').append(buildQueetHtml(data.status));
+			$noticeHtmlObj.find('.queet-thumbs').remove();
+			var noticeHtml = $noticeHtmlObj.outerHTML();
+			}
 		}

 	popUpAction('popup-local-profile', '@' + data.screen_name, data.profileCardHtml + '<div class="clearfix"></div>' + noticeHtml,'<a class="go-to-local-profile" href="' + data.statusnet_profile_url + '">' + window.sL.goToExternalProfile + '</a>');