search

pusher-community / pusher-realtime-chat-widget

Example Realtime Chat Widget that can be added to any web page or app.
97 stars 87 forks source link

Properly Escape User's Name in PusherChatWidget.js #13

Closed quorth0n closed 10 years ago

quorth0n commented 10 years ago

Hello All,

Recently, while I was working on my project Collab.Center (https://github.com/Mulletfingers999/Collab.Center), which uses Pusher, I found that a user's name was not properly escaped in the Chat (https://github.com/Mulletfingers999/Collab.Center/issues/7). I edited PusherChatWidget.js myself to fix this. Once I found Pusher was open sourced, I created a pull request. This pull request properly Escapes activity.actor.displayName. Previously, if the user's name was 'Liam O'Flynn' it would become 'Liam O\'Flynn'.

Sincerely, Liam O'Flynn

zimbatm commented 10 years ago

Hi Mulletfingers999,

thanks for the patch. Unfortunately removing all escaping is probably creating a security issue in regards to script injection. Un-escaping just the single-quote is probably safe though.

quorth0n commented 10 years ago

Thanks zimbatm, I made some changes to the code. Can you look at it agian?

Sincerely, Liam O'Flynn

zimbatm commented 10 years ago

Thanks Mulletfingers999