Make sure every text in template is escaped by default (unless customCback returns unescaped value)

2022-02-14 02:36:55 +01:00 · 2022-02-14 02:36:55 +01:00 · adff18f54d
parent 6f786583a9
commit adff18f54d
1 changed files with 3 additions and 2 deletions
--- a/web/src/app/js/app.js
+++ b/web/src/app/js/app.js
@ -33,8 +33,9 @@ app.template = {
 		for (var i = 0; i < matches.length; i++) {
 			const k = matches[i];
 			if (k.match(/^[a-zA-Z0-9_\.]+$/)) {
-				var v = eval(`data.${k}`);
-				if (customCback !== undefined) {
+				var v = htmlescape(eval(`data.${k}`));
+				if (v !== undefined &&
+					customCback !== undefined) {
 					var newv = customCback(k, v);
 					if (newv !== undefined)
 						v = newv;