diff options
author | John Olheiser | 2021-03-05 15:54:01 -0600 |
---|---|---|
committer | GitHub | 2021-03-05 23:54:01 +0200 |
commit | 7d3e174906a24552f32ea5215910bab9cebeafa4 (patch) | |
tree | f577d54c0292061acc610afada62a0dd0d8c57b8 | |
parent | 8456700411d1caaefe8a07c24aa71ae03d8e28f1 (diff) |
Signed-off-by: jolheiser <john.olheiser@gmail.com> (#14898) (#14899)
-rw-r--r-- | web_src/js/features/contextpopup.js | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/web_src/js/features/contextpopup.js b/web_src/js/features/contextpopup.js index a9a0ceee3..c16820cf1 100644 --- a/web_src/js/features/contextpopup.js +++ b/web_src/js/features/contextpopup.js @@ -1,3 +1,4 @@ +import {htmlEscape} from 'escape-goat'; import {svg} from '../svg.js'; const {AppSubUrl} = window.config; @@ -31,7 +32,7 @@ function issuePopup(owner, repo, index, $element) { if ((red * 0.299 + green * 0.587 + blue * 0.114) > 125) { color = '#000000'; } - labels += `<div class="ui label" style="color: ${color}; background-color:#${label.color};">${label.name}</div>`; + labels += `<div class="ui label" style="color: ${color}; background-color:#${label.color};">${htmlEscape(label.name)}</div>`; } if (labels.length > 0) { labels = `<p>${labels}</p>`; @@ -64,9 +65,9 @@ function issuePopup(owner, repo, index, $element) { }, html: ` <div> - <p><small>${issue.repository.full_name} on ${createdAt}</small></p> - <p><span class="${color}">${svg(octicon)}</span> <strong>${issue.title}</strong> #${index}</p> - <p>${body}</p> + <p><small>${htmlEscape(issue.repository.full_name)} on ${createdAt}</small></p> + <p><span class="${color}">${svg(octicon)}</span> <strong>${htmlEscape(issue.title)}</strong> #${index}</p> + <p>${htmlEscape(body)}</p> ${labels} </div> ` |