Escape HTML in og:description and render any html &-encoded entities

This commit is contained in:
Michael Telatynski 2019-12-28 20:05:55 +00:00
parent 6ef6b5909f
commit 4489b5a21a

View file

@ -128,15 +128,15 @@ module.exports = createReactClass({
}
const AccessibleButton = sdk.getComponent('elements.AccessibleButton');
// Escape </> to prevent any HTML injections, we can't replace & as the description may contain & encoded html entities
const safeDescription = (p["og:description"] || "").replace("<", "&lt;").replace(">", "&gt;");
return (
<div className="mx_LinkPreviewWidget" >
{ img }
<div className="mx_LinkPreviewWidget_caption">
<div className="mx_LinkPreviewWidget_title"><a href={this.props.link} target="_blank" rel="noopener">{ p["og:title"] }</a></div>
<div className="mx_LinkPreviewWidget_siteName">{ p["og:site_name"] ? (" - " + p["og:site_name"]) : null }</div>
<div className="mx_LinkPreviewWidget_description" ref={this._description}>
{ p["og:description"] }
</div>
<div className="mx_LinkPreviewWidget_description" ref={this._description} dangerouslySetInnerHTML={{ __html: safeDescription }} />
</div>
<AccessibleButton className="mx_LinkPreviewWidget_cancel" onClick={this.props.onCancelClick} aria-label={_t("Close preview")}>
<img className="mx_filterFlipColor" alt="" role="presentation"