Skip to content

Commit 4774dfe

Browse files
committed
Encode HTML entities in user input
1 parent 7961a91 commit 4774dfe

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

src/editor.html

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1235,7 +1235,7 @@
12351235
zss_editor.restorerange();
12361236
var sel = document.getSelection();
12371237
sel.deleteFromDocument();
1238-
document.execCommand("insertHTML",false,"<a href='"+url+"'>"+title+"</a>");
1238+
document.execCommand('insertHTML',false,'<a href="'+encodeHtmlEntities(url)+'">'+encodeHtmlEntities(title)+'</a>');
12391239

12401240
zss_editor.enabledEditingItems();
12411241
}
@@ -1317,7 +1317,7 @@
13171317
}
13181318
}
13191319

1320-
var html_code = '<a href="' + link_url + '">' + sel + '</a>';
1320+
var html_code = '<a href="' + encodeHtmlEntities(link_url) + '">' + encodeHtmlEntities(sel) + '</a>';
13211321
zss_editor.insertHTML(html_code);
13221322

13231323
}
@@ -1328,14 +1328,14 @@
13281328

13291329
zss_editor.insertImage = function(url, alt) {
13301330
zss_editor.restorerange();
1331-
var html = '<img src="'+url+'" alt="'+alt+'" /><br>';
1331+
var html = '<img src="'+encodeHtmlEntities(url)+'" alt="'+encodeHtmlEntities(alt)+'" /><br>';
13321332
zss_editor.insertHTML(html);
13331333
zss_editor.enabledEditingItems();
13341334
}
13351335

13361336
zss_editor.insertImageBase64String = function(imageBase64String, alt) {
13371337
zss_editor.restorerange();
1338-
var html = '<img src="data:image/jpeg;base64,'+imageBase64String+'" alt="'+alt+'" />';
1338+
var html = '<img src="data:image/jpeg;base64,'+encodeHtmlEntities(imageBase64String)+'" alt="'+encodeHtmlEntities(alt)+'" />';
13391339
zss_editor.insertHTML(html);
13401340
zss_editor.enabledEditingItems();
13411341
}

0 commit comments

Comments
 (0)