the source of notices is probably safe html to render

This commit is contained in:
Hannes Mannerheim 2015-01-19 14:07:46 +01:00
parent 518daa127e
commit 259651e671

View File

@ -36,7 +36,9 @@
/* ·
·
· Removes HTML special chars recursively from strings in objects
· with one exception: statusnet_html found in notices
· with exceptions: "statusnet_html" found in notices, which we assume
· gnusocial already stripped from xss, and the "source" which should be
· html rendered by gnusocial itself and not open for attacks
·
· @param obj: the object to search and replace in
·
@ -50,7 +52,7 @@ function iterateRecursiveReplaceHtmlSpecialChars(obj) {
iterateRecursiveReplaceHtmlSpecialChars(obj[property]);
}
else {
if(typeof obj[property] == 'string' && property != 'statusnet_html') {
if(typeof obj[property] == 'string' && property != 'statusnet_html' && property != 'source') {
obj[property] = replaceHtmlSpecialChars(obj[property]);
}
}