webcit: sanitize instant messages against XSS type stuff

[citadel.git] / webcit / static / instant_messenger.html

diff --git a/webcit/static/instant_messenger.html b/webcit/static/instant_messenger.html
index 59f9981d4a42ec90d0c0d9015c3c6bb1463ff238..67b3604a3230986ce663ea7fb8b3ed9da97a56c4 100644 (file)
--- a/webcit/static/instant_messenger.html
+++ b/webcit/static/instant_messenger.html
@@ -102,6 +102,9 @@ function ShowNewMsg(gexp_xmlresponse) {
        result = gexp_response.substring(0, breakpos-1);
        the_message = gexp_response.substring(breakpos+1);
        the_message = the_message.substring(0, the_message.indexOf('\n000'));
+       the_message = the_message.replaceAll("<", "&lt;");
+       the_message = the_message.replaceAll(">", "&gt;");
+       the_message = the_message.replaceAll("&", "&amp;");
        sender = extract_token(result.substring(4), 3, '|');
 
        // Figure out which div to write it to...