apitech
/
Rocket.Chat
mirror of https://github.com/RocketChat/Rocket.Chat
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[FIX] Not escaping special chars on mentions (#10793)

Browse Source
pull/10662/head^2
Erhan 8 years ago committed by Diego Sampaio
parent 51a6b40751
commit 5bfbb98d30
2 changed files with 11 additions and 4 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      packages/rocketchat-mentions/Mentions.js
  2. 12
      packages/rocketchat-mentions/tests/client.tests.js

3
packages/rocketchat-mentions/Mentions.js
Unescape View File

@ -3,6 +3,7 @@
* @param {Object} message - The message object
*/
import _ from 'underscore';
import s from 'underscore.string';
export default class {
constructor({pattern, useRealName, me}) {
this.pattern = pattern;
@ -43,7 +44,7 @@ export default class {
if (message.temp == null && mentionObj == null) {
return match;
}
const name = this.useRealName && mentionObj && mentionObj.name;
const name = this.useRealName && mentionObj && s.escapeHTML(mentionObj.name);
return `<a class="mention-link ${ username === me ? 'mention-link-me background-primary-action-color':'' }" data-username="${ username }" title="${ name ? username : '' }">${ name || match }</a>`;
});

12
packages/rocketchat-mentions/tests/client.tests.js
Unescape View File

@ -183,7 +183,7 @@ describe('Mention', function() {
});
const message = {
mentions:[{username:'rocket.cat', name: 'Rocket.Cat'}, {username:'admin', name: 'Admin'}, {username: 'me', name: 'Me'}],
mentions:[{username:'rocket.cat', name: 'Rocket.Cat'}, {username:'admin', name: 'Admin'}, {username: 'me', name: 'Me'}, {username: 'specialchars', name:'<img onerror=alert(hello)>'}],
channels: [{name: 'general'}, {name: 'rocket.cat'}]
};
describe('replace methods', function() {
@ -227,11 +227,18 @@ describe('replace methods', function() {
const result = mention.replaceUsers('@rocket.cat', message, 'me');
assert.equal(result, `<a class="mention-link " data-username="${ str2.replace('@', '') }" title="${ str2.replace('@', '') }">${ str2Name }</a>`);
});
it(`should render for "hello ${ str2 }"`, () => {
const result = mention.replaceUsers(`hello ${ str2 }`, message, 'me');
assert.equal(result, `hello <a class="mention-link " data-username="${ str2.replace('@', '') }" title="${ str2.replace('@', '') }">${ str2Name }</a>`);
});
const specialchars = '@specialchars';
const specialcharsName = '&lt;img onerror=alert(hello)&gt;';
it(`should escape special characters in "hello ${ specialchars }"`, () => {
const result = mention.replaceUsers(`hello ${ specialchars }`, message, 'me');
assert.equal(result, `hello <a class="mention-link " data-username="${ specialchars.replace('@', '') }" title="${ specialchars.replace('@', '') }">${ specialcharsName }</a>`);
});
it('should render for unknow/private user "hello @unknow"', () => {
const result = mention.replaceUsers('hello @unknow', message, 'me');
assert.equal(result, 'hello @unknow');
@ -254,7 +261,6 @@ describe('replace methods', function() {
});
it(`should render for "hello ${ str2 }"`, () => {
const result = mention.replaceChannels(`hello ${ str2 }`, message);
console.log('result', result);
assert.equal(result, `hello <a class="mention-link" data-channel="${ str2.replace('#', '') }">${ str2 }</a>`);
});
it('should render for unknow/private channel "hello #unknow"', () => {

Write Preview
Loading…
Cancel
Save