From 259651e6717140ac26109f6fa3a89e5652fb441e Mon Sep 17 00:00:00 2001
From: Hannes Mannerheim <h@nnesmannerhe.im>
Date: Mon, 19 Jan 2015 14:07:46 +0100
Subject: [PATCH] the source of notices is probably safe html to render

---
 js/misc-functions.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/js/misc-functions.js b/js/misc-functions.js
index 94c4805..5c45860 100644
--- a/js/misc-functions.js
+++ b/js/misc-functions.js
@@ -36,7 +36,9 @@
 /* · 
    · 
    ·   Removes HTML special chars recursively from strings in objects
-   ·   with one exception: statusnet_html found in notices
+   ·   with exceptions: "statusnet_html" found in notices, which we assume
+   ·   gnusocial already stripped from xss, and the "source" which should be
+   ·   html rendered by gnusocial itself and not open for attacks
    ·
    ·   @param obj: the object to search and replace in
    ·   
@@ -50,7 +52,7 @@ function iterateRecursiveReplaceHtmlSpecialChars(obj) {
 				iterateRecursiveReplaceHtmlSpecialChars(obj[property]);
 				}
 			else {
-				if(typeof obj[property] == 'string' && property != 'statusnet_html') {
+				if(typeof obj[property] == 'string' && property != 'statusnet_html' && property != 'source') {
 					obj[property] = replaceHtmlSpecialChars(obj[property]);
 					}
 				}