From: Art Cancro <ajc@citadel.org>
Date: Sat, 16 Sep 2023 16:12:25 +0000 (-0400)
Subject: Sanitize better.  "&" is handled before "<" and ">" so it doesn't sanitize the &gt... 
X-Git-Tag: v995~24
X-Git-Url: https://code.citadel.org/?p=citadel.git;a=commitdiff_plain;h=72ae8c2f9996d980ee9d160e07b9803a353aa5e8

Sanitize better.  "&" is handled before "<" and ">" so it doesn't sanitize the &gt; and &lt; ampersands.

Ampersands are awesome.  They look a lot like treble clefs, don't they?  Actually they hate each other.
---

diff --git a/webcit/static/instant_messenger.html b/webcit/static/instant_messenger.html
index 67b3604a3..c43ac2426 100644
--- a/webcit/static/instant_messenger.html
+++ b/webcit/static/instant_messenger.html
@@ -102,9 +102,12 @@ function ShowNewMsg(gexp_xmlresponse) {
 	result = gexp_response.substring(0, breakpos-1);
 	the_message = gexp_response.substring(breakpos+1);
 	the_message = the_message.substring(0, the_message.indexOf('\n000'));
+
+	// Sanitize HTML in the message
+	the_message = the_message.replaceAll("&", "&amp;");
 	the_message = the_message.replaceAll("<", "&lt;");
 	the_message = the_message.replaceAll(">", "&gt;");
-	the_message = the_message.replaceAll("&", "&amp;");
+
 	sender = extract_token(result.substring(4), 3, '|');
 
 	// Figure out which div to write it to...