diff options
-rw-r--r-- | pkg/app/handler/cvetool/comments.go | 3 | ||||
-rw-r--r-- | pkg/app/handler/glsa/comments.go | 2 | ||||
-rw-r--r-- | web/packs/src/javascript/cvetool.js | 4 |
3 files changed, 6 insertions, 3 deletions
diff --git a/pkg/app/handler/cvetool/comments.go b/pkg/app/handler/cvetool/comments.go index 3d76d75..1659ea7 100644 --- a/pkg/app/handler/cvetool/comments.go +++ b/pkg/app/handler/cvetool/comments.go @@ -8,6 +8,7 @@ import ( "glsamaker/pkg/models/cve" "encoding/json" "glsamaker/pkg/models/users" + "html" "net/http" "time" ) @@ -52,7 +53,7 @@ func addNewCommment(id string, user *users.User, comment string) (cve.Comment, e CVEId: id, UserId: user.Id, User: user, - Message: comment, + Message: html.EscapeString(comment), Date: time.Now(), } diff --git a/pkg/app/handler/glsa/comments.go b/pkg/app/handler/glsa/comments.go index 1381984..bc626ef 100644 --- a/pkg/app/handler/glsa/comments.go +++ b/pkg/app/handler/glsa/comments.go @@ -91,7 +91,7 @@ func AddNewCommment(id string, user *users.User, comment string, commentType str User: user, UserBadge: user.Badge, Type: commentType, - Message: comment, + Message: html.EscapeString(comment), Date: time.Now(), } diff --git a/web/packs/src/javascript/cvetool.js b/web/packs/src/javascript/cvetool.js index b9a8272..1e483b8 100644 --- a/web/packs/src/javascript/cvetool.js +++ b/web/packs/src/javascript/cvetool.js @@ -339,7 +339,7 @@ function registerCommentListener(){ if(data != "err") { var comment = JSON.parse(data); var commentDate = '<small class="text-muted">' + comment.Date.split("T")[0] + ' ' + comment.Date.split("T")[1].split(".")[0] + ' UTC</small>'; - var newComment = '<div class="col-3 text-right mb-3"><b>' + comment.User.Name + '</b><br/>' + commentDate + '</div><div class="col-9 mb-3"><div class="card" style="background: none;"><div class="card-body">' + escape(comment.Message) + '</div></div></div>'; + var newComment = '<div class="col-3 text-right mb-3"><b>' + comment.User.Name + '</b><br/>' + commentDate + '</div><div class="col-9 mb-3"><div class="card" style="background: none;"><div class="card-body">' + comment.Message + '</div></div></div>'; $('.comments-section[data-cveid="' + cveid + '"]').append(newComment); } return @@ -517,4 +517,6 @@ function updateBugInformation(cveid, bugid){ }); } + + export default {initDatatable, destroyDatatable} |