webcit: sanitize instant messages against XSS type stuff

[citadel.git] / webcit / static / instant_messenger.html

diff --git a/webcit/static/instant_messenger.html b/webcit/static/instant_messenger.html
index d254e0ba4548db321e53faa5718e060284f2c9fa..67b3604a3230986ce663ea7fb8b3ed9da97a56c4 100644 (file)
--- a/webcit/static/instant_messenger.html
+++ b/webcit/static/instant_messenger.html
@@ -55,7 +55,7 @@ function SendSomething(which_div, sendform, recipient) {
 
        // Send the text to the server
        parms = 'r=' + Math.random()
-               + '&recp=' + recipient
+               + '&recp=' + encodeURIComponent(recipient)
                + '&msg=' + encodeURIComponent(thetext);
        new Ajax.Request('../ajax_send_instant_message',
                {
@@ -102,6 +102,9 @@ function ShowNewMsg(gexp_xmlresponse) {
        result = gexp_response.substring(0, breakpos-1);
        the_message = gexp_response.substring(breakpos+1);
        the_message = the_message.substring(0, the_message.indexOf('\n000'));
+       the_message = the_message.replaceAll("<", "&lt;");
+       the_message = the_message.replaceAll(">", "&gt;");
+       the_message = the_message.replaceAll("&", "&amp;");
        sender = extract_token(result.substring(4), 3, '|');
 
        // Figure out which div to write it to...