From 7eaefd5299238ab5c9f45f36698ce680fbdc3814 Mon Sep 17 00:00:00 2001
From: Saptak S <saptak013@gmail.com>
Date: Wed, 11 Mar 2020 18:10:08 +0530
Subject: [PATCH] Sanitize message before appending them to the HTML

---
 share/static/js/chat.js | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/share/static/js/chat.js b/share/static/js/chat.js
index daf2e7d1..1f38ffc3 100644
--- a/share/static/js/chat.js
+++ b/share/static/js/chat.js
@@ -6,11 +6,11 @@ $(function(){
       socket.emit('joined', {});
     });
     socket.on('status', function(data) {
-      $('#chat').append('<p><small><i>' + data.msg + '</i></small></p>');
+      $('#chat').append('<p><small><i>' + sanitizeHTML(data.msg) + '</i></small></p>');
       $('#chat').scrollTop($('#chat')[0].scrollHeight);
     });
     socket.on('message', function(data) {
-      $('#chat').append('<p>' + data.msg + '</p>');
+      $('#chat').append('<p>' + sanitizeHTML(data.msg) + '</p>');
       $('#chat').scrollTop($('#chat')[0].scrollHeight);
     });
     $('#new-message').on('keypress', function(e) {
@@ -23,8 +23,14 @@ $(function(){
   });
 });
 
-function emitMessage(socket) {
+var emitMessage = function(socket) {
   text = $('#new-message').val();
   $('#new-message').val('');
   socket.emit('text', {msg: text});
 }
+
+var sanitizeHTML = function(str) {
+	var temp = document.createElement('span');
+	temp.textContent = str;
+	return temp.innerHTML;
+};