Closed MrMebelMan closed 3 years ago
Oh, I figured it out, I forgot to sanitize stdin. Embeds are now fixed as well.
Hi!
Thanks for your interest and for finding that! I'm surprised, that's security 101... grrr my bad.
While your solution works, I prefer to avoid adding a new function, which may itself lead to other security issues... when the browser can already handle it: elements have a textContent
property which sanitizes inputs. I should have used it from the start, I somehow forgot to follow the source of log messages. I therefore used it instead as of 451dee9850ed079013fcf18188f4f21226254876.
Too bad because I think live Rick Rolling could be an emerging discipline!
Nice! TIL about textContent
😆
Hi, I've found this bug by trying to print the active players using
Players are represented in this format:
<h1 - play>
,<jb - jbass>
, and atom thinks it's an HTML markup, so the output was messed up:You can also do other silly things with it ofc
This PR fixes the printing of Player objects, but you can still embed code... I gues this is Atom's issue?