Prevent html injection using user tag

destinygg · Apr 11, 2024 · 5a4938e · 5a4938e
1 parent 7d481a0
commit 5a4938e
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/assets/chat/js/messages/ChatUserMessage.js b/assets/chat/js/messages/ChatUserMessage.js
@@ -61,11 +61,12 @@ export default class ChatUserMessage extends ChatMessage {
     else if (this.slashme || this.continued) ctrl = '';
 
     const colorFlair = usernameColorFlair(chat.flairs, this.user);
-    const user = `${this.buildFeatures(this.user, chat)} <a title="${
-      this.title
-    }" class="${['user', colorFlair?.name].filter(Boolean).join(' ')}">${
-      this.user.displayName
-    }</a>`;
+    const user = `${this.buildFeatures(this.user, chat)} <a title="${this.title
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')}" class="${['user', colorFlair?.name]
+      .filter(Boolean)
+      .join(' ')}">${this.user.displayName}</a>`;
     return this.wrap(
       `${this.buildTime()} ${user}<span class="ctrl">${ctrl}</span> ${this.buildMessageTxt(
         chat,