the source of notices is probably safe html to render
This commit is contained in:
parent
518daa127e
commit
259651e671
|
@ -36,7 +36,9 @@
|
||||||
/* ·
|
/* ·
|
||||||
·
|
·
|
||||||
· Removes HTML special chars recursively from strings in objects
|
· Removes HTML special chars recursively from strings in objects
|
||||||
· with one exception: statusnet_html found in notices
|
· with exceptions: "statusnet_html" found in notices, which we assume
|
||||||
|
· gnusocial already stripped from xss, and the "source" which should be
|
||||||
|
· html rendered by gnusocial itself and not open for attacks
|
||||||
·
|
·
|
||||||
· @param obj: the object to search and replace in
|
· @param obj: the object to search and replace in
|
||||||
·
|
·
|
||||||
|
@ -50,7 +52,7 @@ function iterateRecursiveReplaceHtmlSpecialChars(obj) {
|
||||||
iterateRecursiveReplaceHtmlSpecialChars(obj[property]);
|
iterateRecursiveReplaceHtmlSpecialChars(obj[property]);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if(typeof obj[property] == 'string' && property != 'statusnet_html') {
|
if(typeof obj[property] == 'string' && property != 'statusnet_html' && property != 'source') {
|
||||||
obj[property] = replaceHtmlSpecialChars(obj[property]);
|
obj[property] = replaceHtmlSpecialChars(obj[property]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user