fix XSS vulnerability

jmadler · Apr 17, 2017 · 5a49e06 · 5a49e06
1 parent 0cbecb2
commit 5a49e06
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 8 deletions.
diff --git a/lib/js/emoji-picker.coffee b/lib/js/emoji-picker.coffee
@@ -62,11 +62,24 @@ class @EmojiPicker
       else
         ''
 
-  unicodeToImage:(input) ->
+  appendUnicodeAsImageToElement:(element, input) ->
     if !input
       return ''
     if !Config.rx_codes
       Config.init_unified()
+
+    split_on_unicode = input.split(Config.rx_codes)
+    for text in split_on_unicode
+      val = ''
+      if Config.rx_codes.test(text)
+        val = Config.reversemap[text]
+        if val
+          val = ':' + val + ':'
+          val = $.emojiarea.createIcon($.emojiarea.icons[val])
+      else
+        val = document.createTextNode(text)
+      element.append(val)
+
     input.replace Config.rx_codes, (m) ->
       val = Config.reversemap[m]
       if val
@@ -86,4 +99,4 @@ class @EmojiPicker
         $img = $.emojiarea.createIcon($.emojiarea.icons[m])
         $img
       else
-        ''
+        ''
diff --git a/lib/js/emoji-picker.js b/lib/js/emoji-picker.js
diff --git a/lib/js/emoji-picker.js.map b/lib/js/emoji-picker.js.map
diff --git a/lib/js/jquery.emojiarea.js b/lib/js/jquery.emojiarea.js
@@ -343,8 +343,8 @@
     if ($textarea.attr('maxlength')) {
       this.$editor.attr('maxlength', $textarea.attr('maxlength'));
     }
-    var unicodeToImageText = this.emojiPopup.unicodeToImage($textarea.val());
-    this.$editor.html(unicodeToImageText);
+    this.emojiPopup.appendUnicodeAsImageToElement(this.$editor, $textarea.val());
+
     this.$editor.attr({
       'data-id': id,
       'data-type': 'input',