@@ -21,6 +21,7 @@ import { MatrixEvent } from "matrix-js-sdk/src/models/event";
2121import { renderToStaticMarkup } from "react-dom/server" ;
2222import { EventType , MsgType } from "matrix-js-sdk/src/@types/event" ;
2323import { logger } from "matrix-js-sdk/src/logger" ;
24+ import escapeHtml from "escape-html" ;
2425
2526import Exporter from "./Exporter" ;
2627import { mediaFromMxc } from "../../customisations/Media" ;
@@ -97,28 +98,36 @@ export default class HTMLExporter extends Exporter {
9798 const exporter = this . room . client . getSafeUserId ( ) ;
9899 const exporterName = this . room . getMember ( exporter ) ?. rawDisplayName ;
99100 const topic = this . room . currentState . getStateEvents ( EventType . RoomTopic , "" ) ?. getContent ( ) ?. topic || "" ;
100- const createdText = _t ( "%(creatorName)s created this room." , {
101- creatorName,
102- } ) ;
103101
104- const exportedText = renderToStaticMarkup (
102+ const safeCreatedText = escapeHtml (
103+ _t ( "%(creatorName)s created this room." , {
104+ creatorName,
105+ } ) ,
106+ ) ;
107+ const safeExporter = escapeHtml ( exporter ) ;
108+ const safeRoomName = escapeHtml ( this . room . name ) ;
109+ const safeTopic = escapeHtml ( topic ) ;
110+ const safeExportedText = renderToStaticMarkup (
105111 < p >
106112 { _t (
107113 "This is the start of export of <roomName/>. Exported by <exporterDetails/> at %(exportDate)s." ,
108114 {
109115 exportDate,
110116 } ,
111117 {
112- roomName : ( ) => < b > { this . room . name } </ b > ,
118+ roomName : ( ) => < b > { safeRoomName } </ b > ,
113119 exporterDetails : ( ) => (
114- < a href = { `https://matrix.to/#/${ exporter } } target = "_blank" rel = "noopener noreferrer" >
120+ < a
121+ href = { `https://matrix.to/#/${ encodeURIComponent ( exporter ) } }
122+ target = "_blank"
123+ rel = "noopener noreferrer"
124+ >
115125 { exporterName ? (
116126 < >
117- < b > { exporterName } </ b >
118- { " (" + exporter + ")" }
127+ < b > { escapeHtml ( exporterName ) } </ b > I { " (" + safeExporter + ")" }
119128 </ >
120129 ) : (
121- < b > { exporter } </ b >
130+ < b > { safeExporter } </ b >
122131 ) }
123132 </ a >
124133 ) ,
@@ -127,7 +136,7 @@ export default class HTMLExporter extends Exporter {
127136 </ p > ,
128137 ) ;
129138
130- const topicText = topic ? _t ( "Topic: %(topic)s" , { topic } ) : "" ;
139+ const safeTopicText = topic ? _t ( "Topic: %(topic)s" , { topic : safeTopic } ) : "" ;
131140 const previousMessagesLink = renderToStaticMarkup (
132141 currentPage !== 0 ? (
133142 < div style = { { textAlign : "center" } } >
@@ -183,12 +192,12 @@ export default class HTMLExporter extends Exporter {
183192 <div
184193 dir="auto"
185194 class="mx_RoomHeader_nametext"
186- title="${ this . room . name }
195+ title="${ safeRoomName }
187196 >
188- ${ this . room . name }
197+ ${ safeRoomName }
189198 </div>
190199 </div>
191- <div class="mx_RoomHeader_topic" dir="auto"> ${ topic }
200+ <div class="mx_RoomHeader_topic" dir="auto"> ${ safeTopic }
192201 </div>
193202 </div>
194203 ${ previousMessagesLink }
@@ -214,10 +223,10 @@ export default class HTMLExporter extends Exporter {
214223 currentPage == 0
215224 ? `<div class="mx_NewRoomIntro">
216225 ${ roomAvatar }
217- <h2> ${ this . room . name }
218- <p> ${ createdText } ${ exportedText }
226+ <h2> ${ safeRoomName }
227+ <p> ${ safeCreatedText } ${ safeExportedText }
219228 <br/>
220- <p> ${ topicText }
229+ <p> ${ safeTopicText }
221230 </div>`
222231 : ""
223232 }
0 commit comments