stop some far-fetched xss scenarios

css/qvitter.css

@@ -1312,7 +1312,7 @@ body.rtl #footer-spinner-container {
 	transition-property: opacity;
     transition-duration: 0.1s;
     transition-timing-function: ease-in;
-    transition-delay: 0.3s;
+    transition-delay: 0.6s;
 	}
 .tooltip-caret {
 	z-index: 10000;
@@ -1329,7 +1329,7 @@ body.rtl #footer-spinner-container {
 	transition-property: opacity;
     transition-duration: 0.1s;
     transition-timing-function: ease-in;
-    transition-delay: 0.3s;
+    transition-delay: 0.6s;
 	}
 .tooltip-caret.bottom {
 	border-top:5px solid #333;

js/ajax-functions.js

@@ -332,7 +332,10 @@ function postQueetToAPI(queetText_txt, in_reply_to_status_id, postToGroups, acti
 			},
 		dataType:"json",
 		error: function(data){ actionOnSuccess(false); console.log(data); },
-		success: function(data) { actionOnSuccess(data);}
+		success: function(data) {
+			data = iterateRecursiveReplaceHtmlSpecialChars(data);
+			actionOnSuccess(data);
+			}
 		});
 	}
 

js/qvitter.js

@@ -43,6 +43,9 @@ window.oldStreams = new Object();
 // check our localStorage and make sure it's correct
 checkLocalStorage();
 
+// don't let users inject html/scripts into their own user data... not that it matters, it is only displayed to themselves, but just to be 200% safe
+window.loggedIn = iterateRecursiveReplaceHtmlSpecialChars(window.loggedIn);
+
 
 /* ·
    ·