Merge pull request #283 from joker314/patch-1

Prevent XSS in images
decent-chat · Mar 3, 2018 · 0c10790 · 0c10790
2 parents 697b745 + 50bb41c
commit 0c10790
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/packages/client/src/util/mrk.js b/packages/client/src/util/mrk.js
@@ -140,7 +140,7 @@ const withState = state => {
       </a>`,
 
       image({ metadata }) {
-        const src = mark.escapeHTML(metadata.src)
+        const src = mark.sanitizeURL(mark.escapeHTML(metadata.src))
         const alt = mark.escapeHTML(metadata.alt)
 
         return `<a href='${src}' target='_blank' class='Message-image'>