MDL-67637 core_message: only preview lastmessage text if safe to do so
authorJake Dallimore <jake@moodle.com>
Wed, 8 Jan 2020 06:22:48 +0000 (14:22 +0800)
committerSara Arjona <sara@moodle.com>
Wed, 8 Jan 2020 11:31:09 +0000 (12:31 +0100)
If any html/script tags are found in the text() value, don't display it.

message/amd/build/message_drawer_view_overview_section.min.js
message/amd/build/message_drawer_view_overview_section.min.js.map
message/amd/src/message_drawer_view_overview_section.js

index 5271dc1..c6daf6f 100644 (file)
Binary files a/message/amd/build/message_drawer_view_overview_section.min.js and b/message/amd/build/message_drawer_view_overview_section.min.js differ
index 32de90f..1331bfd 100644 (file)
Binary files a/message/amd/build/message_drawer_view_overview_section.min.js.map and b/message/amd/build/message_drawer_view_overview_section.min.js.map differ
index 8fa7398..fed38be 100644 (file)
@@ -223,7 +223,10 @@ function(
                 // If that's not possible, we'll report it under the catch-all 'other media'.
                 var messagePreview = $(lastMessage.text).text();
                 if (messagePreview) {
-                    return messagePreview;
+                    // The text value of the message must have no html/script tags.
+                    if (messagePreview.indexOf('<') == -1) {
+                        return messagePreview;
+                    }
                 }
             }