chore: sanitizing content to avoid accidentally rendering html

ubiquity-os-marketplace · Apr 23, 2024 · 391e96e · 391e96e
1 parent 34ad6dc
commit 391e96e
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/parser/github-comment-module.ts b/src/parser/github-comment-module.ts
@@ -136,11 +136,13 @@ export class GithubCommentModule implements Module {
       function buildIncentiveRow(commentScore: GithubCommentScore) {
         // Properly escape carriage returns for HTML rendering
         const formatting = stringify(commentScore.score?.formatting?.content).replace(/[\n\r]/g, "&#13;");
+        // Makes sure any HTML injected in the templated is not rendered itself
+        const sanitizedContent = commentScore.content.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
         return `
           <tr>
             <td>
               <h6>
-                <a href="${commentScore.url}" target="_blank" rel="noopener">${commentScore.content.replace(/(.{64})..+/, "$1&hellip;")}</a>
+                <a href="${commentScore.url}" target="_blank" rel="noopener">${sanitizedContent.replace(/(.{64})..+/, "$1&hellip;")}</a>
               </h6>
             </td>
             <td>