Sanitize better. "&" is handled before "<" and ">" so it doesn't sanitize the &gt...

Ampersands are awesome.  They look a lot like treble clefs, don't they?  Actually they hate each other.

diff --git a/webcit/static/instant_messenger.html b/webcit/static/instant_messenger.html
index 67b3604a3230986ce663ea7fb8b3ed9da97a56c4..c43ac2426dd2286b667b2e0bd096aeee16e785ac 100644 (file)
--- a/webcit/static/instant_messenger.html
+++ b/webcit/static/instant_messenger.html
@@ -102,9 +102,12 @@ function ShowNewMsg(gexp_xmlresponse) {
        result = gexp_response.substring(0, breakpos-1);
        the_message = gexp_response.substring(breakpos+1);
        the_message = the_message.substring(0, the_message.indexOf('\n000'));
+
+       // Sanitize HTML in the message
+       the_message = the_message.replaceAll("&", "&");
        the_message = the_message.replaceAll("<", "&lt;");
        the_message = the_message.replaceAll(">", "&gt;");
-       the_message = the_message.replaceAll("&", "&amp;");
+
        sender = extract_token(result.substring(4), 3, '|');
 
        // Figure out which div to write it to...