Merge pull request #722 from Thulinma/noHtmlFixes

Fix two more HTML injection attacks.
3 years ago · e88ab89c18
parent 7bb1b1c650 45b5629fe4
commit e88ab89c18
2 changed files with 3 additions and 3 deletions
--- a/src/RoomsModel.cpp
+++ b/src/RoomsModel.cpp
@ -77,7 +77,7 @@ RoomsModel::data(const QModelIndex &index, int role) const
                        return QString::fromStdString(
                          roomInfos.at(roomids[index.row()]).avatar_url);
                case Roles::RoomID:
-                        return roomids[index.row()];
+                        return roomids[index.row()].toHtmlEscaped();
                }
        }
        return {};
--- a/src/timeline/Reaction.h
+++ b/src/timeline/Reaction.h
@ -16,8 +16,8 @@ struct Reaction
        Q_PROPERTY(int count READ count)
 public:
-        QString key() const { return key_; }
+        QString key() const { return key_.toHtmlEscaped(); }
-        QString users() const { return users_; }
+        QString users() const { return users_.toHtmlEscaped(); }
        QString selfReactedEvent() const { return selfReactedEvent_; }
        int count() const { return count_; }