escape userId before setting it as HTML attribute

ether · Apr 8, 2021 · a796811 · a796811
1 parent 9408d43
commit a796811
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/src/static/js/chat.js b/src/static/js/chat.js
@@ -129,6 +129,7 @@ exports.chat = (() => {
             'Replacing with "unknown". This may be a bug or a database corruption.');
       }
 
+      msg.userId = padutils.escapeHtml(msg.userId);
       const authorClass = `author-${msg.userId.replace(/[^a-y0-9]/g, (c) => {
         if (c === '.') return '-';
         return `z${c.charCodeAt(0)}z`;