From 4e809346537e230cbff8235bfee0e7e151e4e9f9 Mon Sep 17 00:00:00 2001
From: Jake Dallimore <jake@moodle.com>
Date: Wed, 8 Jan 2020 14:22:48 +0800
Subject: [PATCH] MDL-67637 core_message: only preview lastmessage text if safe
 to do so

If any html/script tags are found in the text() value, don't display it.
---
 ...essage_drawer_view_overview_section.min.js | Bin 8793 -> 8838 bytes
 ...ge_drawer_view_overview_section.min.js.map | Bin 54018 -> 54254 bytes
 .../message_drawer_view_overview_section.js   |   5 ++++-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/message/amd/build/message_drawer_view_overview_section.min.js b/message/amd/build/message_drawer_view_overview_section.min.js
index 5271dc11f845347148c16679f989553bbe573ec2..c6daf6ffc44eba2f9a86e687d703e4305de19fe7 100644
GIT binary patch
delta 179
zcmccV(&oBBnTN^HV6qC2hK`|uby87kVs>q2nuel=uA!}Mre0=VN@|6Fnud~%lBT9+
zb&_6QYDI}HP=haz28W@6RhF$%rvBswJc^s=@~AL!8(YIvm`y&zt1Dt=m1CQvSDczx
z0++Cy%*&_7XgS%0&q&VLDoL-PD7DPi2&A#Zz&0sbDLJtuIYTK{!_atg3!f#U`Q&|k
Qnk>dTM#h_8^W_Nx0AlAfNB{r;

delta 134
zcmZp3z3H++nTOGGvMP@TkgVj<V7Ii&vQ^5|pL~`_aq}r26-I6&>m<Fr)QS>YL(|DW
zd38lht#WLW^ompSO5hR}ldbsF7%e6z@)^k)StaQe6s4Bg8i6#H7}zF7D<vnEBxfka
cY8V<#-pFUkXg2vZpC*fuj*-!33I04`0E$v4Y5)KL

diff --git a/message/amd/build/message_drawer_view_overview_section.min.js.map b/message/amd/build/message_drawer_view_overview_section.min.js.map
index 32de90f70a6c720ceee0f94d6e4829cc8e5ab564..1331bfd482b6aaac3d0b677041d4fdbe25b8645e 100644
GIT binary patch
delta 4207
zcmcgwO>A4o5yrFOTDC*Fk$)taltkH<D2Y$}6Dg9lWO?86N0js=%d&ofq@iSqqA31}
zKO&hTN`nTyw2h%DnilE7J@f}ijRw%E30ky=9Ne_9gBA_YB1MY=z13+Bz2uV4&Qi%!
zViyJqREPKW?at18GxN>tQZN1J=))f$edFb0$5Yu`Yt`xX{g;m2J+>b@6*;Y>VfVs~
z-Ll4#T250rV_ZBoxEf*jC&sHZ%hhSd*2S=_sWHYXLU==4P<@=GwDB;0ZEA6K4wti9
z1iva;Mu?QP6*VKi68N!$YeIijuI*@xYD#>W7jV+8p-$8sUxY48i;{wnWm!2GcUq_5
zBg<39@29f7sHtv^75Rh*YS#8^4#G|#ab=aUl0Z=6lj<xAtqW8ozNYSItjwdHD1J6v
zoE1avg+E$d=PEpc;$<mbL2*R50~gvYH>y0W?jTN{)k3s+iMFL;D9=_fJ|2!P*EHtk
z%W9kr@+H+BW^7C?huQU%fKm)^bHXV6WwCAedi%3q^lGZ!fXW<NiNpQ&^Kh!8Me)L=
z4wsUJ*^XEnZIJmW2u&=84_?)(u-|d<cuiAh7@OJaJPZHoIJa9T8xmcOBb2cTl#W+1
z_L#(Ju|483$hgJ)xCqaLkXc}i%tZzbGF~x1Dcsf%>G2z6d_vDu1ise!bZebZN<WE4
zG~{l$+u5xQ!tXn;bUL(8P3497O(7E&R7zB|0u0zJ_D%7{q$}w#x`Kg5W)`%(2mmXP
zbzXp+O*I*13-A+LkA3?IcmLa_S`O_Fi$JZA1#Ke?&s}OqJ}!5)w@In6z%Z90?YfZS
zRk+>N*Gw~f5oeGpnAGV_c&E#ciBv8I%v)4blpDdQ=*92b2cHn%iA%$lfI+tKNPI6`
zYVS7UTNTLW1=O0Bp+FsA{naI3hY|fW(uZ$}6f|&Gq4}~CU1pbCuOL$<Sb&Qp4sqRM
zfI-X;U^(DYkk8|DD@;5ug|SIsrNFl@dzz6&aTXTr;#4WKWq9whTiJr9ZmW`k?(R`j
zR;)I%JOqVqyD4v&DZmfAJCzW;-5p0rr+chQ1=Jo(%1bg-?$l~{MavU9VmOyUx`8bP
zv5RDs;=+n7BFUR_T+~febe)7Tq<+%8Eqq{J%?oezoR8Nd7=~pLg(Y1S{H%|JZVH(s
zg>GA`JjQ&UEH~N(oVMGKyJp64V+}^^ADOeX`U#aIy{{^Mc)xdOq!w3`8e=jsd{fw?
z>WJ`^z#kRXVmwd1Xb#8J6vl4hD9#;ly{~Hw*W&Dk*f=9&Un5}xEn|jGik>SoAY&ss
zHH&4)y%{m)S@?OM)r>tA!zk2aSFgg~`}&m}nEQjf6@z;_adoLtI&N)CILSO3g5Y8p
z3A?FmiH9+23v%e9X>v5eu+DK8q2M^iN+g?TUW9$?)36iCcpcvEFWZTWb#0S)rwK0d
zaeVmagx%b{E|n(X9ft+J;uy7-=EXvAUQZJEA`wEyC=c&BrmPzaLZG~$JH#71vv^8@
zZD6WhsX=0(9ozHnfVI^TqXsNQu!8U@Dd>T>)PN~S&K=BrtaeyKq`R=FCqJjV`oHS-
zFAANRB|SyDC9NdxI(VGD$_^|$+m$?2o$Zgueb@O}+#fpqhdkMWLD%Kp(2}rHUe=3b
z4RiEKlsq&;R9o}HuB+w9;21n~SejHXlG>-G;4PQMQePHg>4Z)RNE*`MhYww=C-Vuh
z?oH?pc-HMg*xz#VlL4B{t>`uQb7RsDUXS%;X+=m6t>`{j^f*bn4eogQPr7KKxT<^M
z4~7LZ^n0z=>MCKlr3b~E1r1JY!HU;&u0U0D==jaX;q<vKxaYMh1^9<Ipm?BT(BI=7
z7iZdvP*c;033w1jumgDn8yhXo2erWtr3&92e9ei>!Fj2g+6apU45GntHG|P2g(*B`
z622Ct3^iY;vI*bwxz7d-$RtJiHoWh12B{uyP&v$sYN)RX-%{&(jp`?D@X<pRAQKe?
z?hhce=lw;c2p{<SrC)eWygt-wGCGlg@=#ZAU|py!BsHBHkTL(ELu!9HG}K6kInZqK
zk&E(5kcELjiz!3Wa%K=_0xfd|N=BnC*6Bk8lvf2uJV{N=6gM<INxF=diA3a2PTQna
zx?bQ7GY!88=;YEx7zmzl<Y?8%x(XSh&D35Zc;JZ!xdVw{he=)<8`lx|MlfOy(Vc1v
zv9MKd6#f$IQv7?Nc5{G0&_$uB`S%?mn}WyI2a^u8ZqawlGVe0uya0FfNj%&Bskb%F
zi#<zh6Vg}i97#sOG~ABIfn)fhlH41!L3X%D2|!__8{QmNjq8@C2qUB<79X*b*yI@_
zLskXMSO^}Bv>r)E;oWeHNmi-sSza(-{c=M)T(v)P>+h~UX6vcZgRQqmJ?1inQ3jS*
z;Qr{GiSj0YO&|o%wbr1Us7Q@5Cc7}Pk{`lEimoH@>luM^rV<UoSFa6V`~BIqA<KWM
zl|7a`;)ubEzE<-lDQQ$<5ME(c?At$O0~qo@v0l829MuX+9m<+N@Mzm?gQzF(5iZgu
zOO`mo@U;D##!a%2WGsW=;g&`$xA|EpX-~tey!$ipzQ?&q*2%%Hw(!BO<*<tQUW>Xe
zNKTSOo@kXLG#lX*JP5ZUq27%-zaUb})8L6Y(VypH3rDuONU&U0(tBeApTl<+rpC+-
zjM?b_$C?YC8M}W@R)-8B-9uPxV**%wrfrCbAc;z?Q7-ckydDpZ$g@~@Kb97ei2Ea1
zD&dAyQ5V-;S?y&lKy;#Csw|Do(>C5`mgiI@igFRWg)fY|Pi$>dFG*J5_PEO=nk8#A
zj}-iN+-{Y(LA(azLMluzdCks6d~kZAttBhw!h*+KpvNBobftpPi8MCO*C(Da%PzDm
zG^DW!ou9mh&2V8-JCh@KWgzIT6{B+mu71h%B<;eY<n~WY<rO8rU!UITy6SS-Zf>mE
zN^8}Ut&-R(ui0|zwi3={){4bM65r)w$+nTGtl6?T+eRs~<tnajr}8CRDUmEfA%AA?
zg(mn--rVeL{HvhXK5Xx^jf~g^;0ND14=+C71b=<=I6T}u4j<<)fV+MSUfFGi2fuEH
NYu_~QhYI%+{{c6bsY(C<

delta 4172
zcmcgvS!`Qr71nLlg(9cxG)e93P2I#djvdEKm?X`Af7>^XbK|B<(gf&`WKwVOmc({q
zX{Klp!_%<ns47xt3Qr(L6*HqqqmdZIHX!lPsrmpCF9;-fm?BVlLxYew=lo9VRt1$8
z@^EwS|DSXI?`+?H{I~D#eeHXD-~H;oop0=Wd*A;2%d1<7YdikW#tv&~xPI!wd5;vU
z7lbawwORe5C>VJ|;z!ZQ8ThYYEbBS?TEdS~eQ#aum5eKTT8edJ9{0*d#n4S5Vsmic
z-mE2|VqesD-@o9Pu}xZfOqc>6k7aQEdP;5>y2lVX8Lvgr5dP8Aq=y`m`eh-e=zTRr
zu*5ZbpvH<2n*=Z~rxA5dUW@R@s$MljK}H)*T_hFhiK3jCqxXWr7K@}0eQmARi!ws4
zD<eg@N^X_pA_Iw$hDolSr?(}-xGuwb6@8X@BgmK+XiFwdI$~K*h>FDMZ5yI07t!G@
zxuAQ(LQLxAusENlV{_qk$^KC6_6oBIAGKXQ>@jq!?w4>G>)>s7YaaMg`=GW4-)uKq
zFVit9J|(ikQIcCm1s=9{k5vtQR)|?zk5t&Wf>oBd9;F3y3v){eV41B3nJOeYnmcL@
zE87zNn4+l0No!t+d06T=@ws_1O)gusm=GetrhE;Gn6reKA;kpAtYYd|W($sVp47JC
zK}WCV#rGFGLI#`V-8}hoiJ}n><725}6d==Scc$n|C`Zy^0>7+B1eGFJNQn=Y1-R3x
z+ZtsH@aN7m&f;@w4|VDGC$z)l+cF(pG6p5Q)zgM0eY2~rRY`>j!{sDfw@6A>;BHsn
zF<y~Za0M#_Q<+G?!EQh1aJ)O%l#!&xF~-_~uXMlZ^gbuPXwRtK-ymCfCcYo_wDmUP
zTOnj~bm+E`<v{IX{a4R$dn5V;R)}1q6x4B7AaUA_F28!Z#g2&MA}FaF0@7-PoP_sI
zw;are%cNO``=`Cfyi{Oe%D&`oxVQl)dOhtKS`nA%!NPJa%xuArEG+k)v#qg+%JeY&
zu-7@9Z&)crR7Ol8C&@T<@D!!N5*+9tt>PctIo<>MnGVE0ea4|}Li&vTx`z!hbug>R
zijn7Na`j3T%?pSHousU-bAzZxQw6pWquz=V+@;3Y``Ge2`7eeHb&ikYNKCUBL4XS)
zwiUq$GMy|~L=hK<SdGJxWa)Kd^FIK}GnP8Rz_inOz&}gAZa~fXY110-KI($k&feVP
zGhxu<fM8$iST&|64IxxwWr_~v?uy7HxfP`&O_^s3V{W0IntT}_F&Tn4`nrzcUQApd
z#aWfkD*UvsIi_-@0z@~1Fth9tlaIvRB_V?3SVVA!nMqktB5`4e=?uCvptHYU%R#(9
zq;EDjT8`-p_5Sl18BVR&KqQ>|NO&9G=|8EDFaxl25s~HasUwgluzUFkyeTN&8Tfnu
z>pte^nvo%39)l9ZWmLON2c+jLWrIV5%u0G|@V0B_NPdn4hUP36BiVr4E<5z-=Nv)a
zD9l?S-f)rOx@Hkx)ty=uZV$8}d4D+I&_eJ>{iIfdhXX-dfT64EtHJ0%yTdn6CbCy7
z7jHG1s{C)Jj@GV_spNu{WK<;y*@08=in~=S!%cTvN1m4{Uf~p#K_q2x-s1Q!%w3od
z+)u-F5Bi?~o`K@vY2jNSbA?5##AY$zk77{c6|VAC55IE@vTt%r5u|q#eumL}ICvna
z;QHA>fH+4~2&AM$Z7!0&YtiC%Y)p|4+@6&~nI+n<E?FVC<r&oSFfr5$fAaJn^72M{
z*{VW|cXwmS+kYs(Od6hLYY1+5-K^n+zjz&o{JfD{u{>~eNNq^R`U;=FVg=~Gz?<ul
zml^oZkoScGH_;P!^I8nNdKc{XIkW=w_=1@G&->^y_?EB5R^t&wwe=9Z?`zj8@EhMP
zcZk!k>@YP5)88N(n9_6D(aUsv8ZVvO!_C?Tyg%HbrQo;2o)duv7^;S35l;EtA+G%k
zT>2L|psVCaXw};0#?3Z3RO3ceX$!!Y{XvBGfqz3Qfgb3uJCTMr0xffmPGsZEHH<7|
zu=WTUeN5NhYjk8bX;{oPjg=C7;>dpn0`&~WgU7r>>^@BfLL%Ma1h7c&I7T5EqeBs7
z?JVmn883W2*xX;>Jk^PDi$A!Sc<8Al4O+>i49gXRdqKzH6d%G9AyPvcJ`GyzY4>or
zOd*Y|nK>3|EWJ%O%dYaJ7QwrbM&L5s4z=6V2wI<9;Mbvu4JTOSr5QrM5(dXem*#`<
zk+!B0E^3}BHVofRdZbg+wqU?=A%q31+N5eiRfF7s-&@moySZjs56+R!f=Iy+Ui|JJ
zR|MjtZD=w*+D#uz=Q`ld=o!rq?~L`rKSuRN2|K(rc3@ZPYhzB9nm*oGJ}ZRN3_{a*
z%bs);?i<ZE)zB12k?_Fu_)B%;_s5+B&rs!BQ~_8;pkbakA|sJ!T8o|Awf6BjZ_@^c
zRs~ybf^FimO%12Js0tG;AyvA}q9zxBDk=E{Og2QL`}rIJpRGiL@RNxFq~^a)1nmE<
zx5h<sPsoHH54SX>*h)<mTLA6~2a@^&F@Sk!G0tik5Jm|;l1JeeMsM)h#|xg!>I23I
z+f!Z6r6cgZ?U2%@dQU|-00n8UNBCWN0yFzd>3=E*2g0&XHBVjVk-HMn)-SkeDwBjz
zh4AgLj;MbZ9ki?RWxXO-AkIOkkqReG$~G3?;Ys&?ToN)31=Edg-Ztm=Y|6*GR2Woe
zS0`;xLEoC}u0y{Q{l6VJ0=Fjby`b7j1((M?VGd5g_1LU74EJNrS`a>og~rsCO&(A3
zY#j4P*0{r!irla;X!ygI{4X0!WdeWV;#U@V_v%z%le+LKQIv~_ZMZSz`OIL6i6u~m
zkEaH0^gBS!yagi*hvH60kjWNjWZX!H`Co<;P>2M;inlg%BEnSCk}4X1N)Vx}!7K4B
z{#^eg{>3K6R7`<cB&ti(6Udb}rj6q{ZUN;s-{&UZH_&0(o`+5BT4~3eDQa3~=YvGG
b3;yul0k~W0f)9Uw436A8x^s5@S4;l}cz>j*

diff --git a/message/amd/src/message_drawer_view_overview_section.js b/message/amd/src/message_drawer_view_overview_section.js
index 8fa739828bf..fed38be8407 100644
--- a/message/amd/src/message_drawer_view_overview_section.js
+++ b/message/amd/src/message_drawer_view_overview_section.js
@@ -223,7 +223,10 @@ function(
                 // If that's not possible, we'll report it under the catch-all 'other media'.
                 var messagePreview = $(lastMessage.text).text();
                 if (messagePreview) {
-                    return messagePreview;
+                    // The text value of the message must have no html/script tags.
+                    if (messagePreview.indexOf('<') == -1) {
+                        return messagePreview;
+                    }
                 }
             }
 
-- 
2.43.0