MDL-67637 core_message: only preview lastmessage text if safe to do so
[moodle.git] / message / amd / src / message_drawer_view_overview_section.js
index 8fa7398..fed38be 100644 (file)
@@ -223,7 +223,10 @@ function(
                 // If that's not possible, we'll report it under the catch-all 'other media'.
                 var messagePreview = $(lastMessage.text).text();
                 if (messagePreview) {
-                    return messagePreview;
+                    // The text value of the message must have no html/script tags.
+                    if (messagePreview.indexOf('<') == -1) {
+                        return messagePreview;
+                    }
                 }
             }