Merge pull request #722 from Thulinma/noHtmlFixes

Fix two more HTML injection attacks.

Merge pull request #722 from Thulinma/noHtmlFixes
e88ab89c · Nicolas Werner · GitHub · 7bb1b1c6 · 45b5629f · e88ab89c
Unverified Commit e88ab89c authored 3 years ago by Nicolas Werner Committed by GitHub 3 years ago
--- a/src/RoomsModel.cpp
+++ b/src/RoomsModel.cpp
@@ -77,7 +77,7 @@ RoomsModel::data(const QModelIndex &index, int role) const
                        return QString::fromStdString(
                          roomInfos.at(roomids[index.row()]).avatar_url);
                case Roles::RoomID:
-                        return roomids[index.row()];
+                        return roomids[index.row()].toHtmlEscaped();
                }
        }
        return {};

--- a/src/timeline/Reaction.h
+++ b/src/timeline/Reaction.h
@@ -16,8 +16,8 @@ struct Reaction
        Q_PROPERTY(int count READ count)
 public:
-        QString key() const { return key_; }
+        QString key() const { return key_.toHtmlEscaped(); }
-        QString users() const { return users_; }
+        QString users() const { return users_.toHtmlEscaped(); }
        QString selfReactedEvent() const { return selfReactedEvent_; }
        int count() const { return count_; }