Replace encrypted-message-body's child from <pre> to <p>

[o-klp]

Decrypted message was being placed in a pre tag. So the text did not wrap:

Fixed to a p tag

Text wraps correctly

Note: I’m mainly a Javascript programmer, I think I edited all the right places. And I didn’t really go through the heroku/rake stuff so this could break the code, but I doubt it

[alainmeier]

This introduces a serious security vuln because the user's content isn't wrapped in a pre so it's vulnerable to JS fun.

[o-klp]

Can you clarify what you mean by JS fun? You can still select and change pre elements using JS DOM methods

[alainmeier]

http://en.wikipedia.org/wiki/Cross-site_scripting

[o-klp]

Ah, thanks for the clarification! Any element’s .textContent property automatically escapes xss attacks; jQuery’s .text() method does the same.

see https://developer.mozilla.org/en-US/docs/Web/API/Node.textContent specifically, the section on difference from innerHTML

I’m not sure how you’re currently escaping attacks. Is it ‘.html safe’? And does that rely on pre? I’ve not heard anything about pre elements escaping, but I’m pretty new to this so please don’t hesitate to correct me

I can submit a new pull request with the .textContent change, let me know if you think it would help :/

[alainmeier]

Thanks for bringing this to my attention - I went ahead and patched it

https://github.com/alainmeier/cryptonote/commit/8ff58b48c1b35648a5135382b4bd8d313e630d7c

https://github.com/alainmeier/cryptonote/commit/18c0299cc5c8d2d253dd6b7acb612cfa6d848e64

https://github.com/alainmeier/cryptonote/commit/bdb92a73006cdd868a3911b922f636fe21d375b5

[alainmeier]

@kayellpeee if you are looking for a way to hone your skills and contribute, I have added a few issues to the repo if you feel like helping out.

[o-klp]

@alainmeier I’ll definitely check them out, depending on their scope and my free time I may try one or two