From a97312b2e4a853b9ba911eabb14b7bb334bd94dd Mon Sep 17 00:00:00 2001
From: ffqq <ffqq@danwin1210.de>
Date: Thu, 13 Jul 2023 16:34:49 +0000
Subject: [PATCH] fix: xss vulnerability in chat.js

---
 static/js/chat.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/static/js/chat.js b/static/js/chat.js
index 1c7194e..1df74dd 100644
--- a/static/js/chat.js
+++ b/static/js/chat.js
@@ -21,10 +21,10 @@ async function updateMessages(id) {
       const { creator, content, id, created } = message;
 
       // Check if the message content contains any links that are not image links and hide image links
-      const linkRegex = /(https?:\/\/[^\s]+(?<!\.(?:png|apng|webp|svg|jpg|jpeg|gif)))(?=\s|$)|(?<=\s|^)(https?:\/\/(?:cdn\.discordapp\.com|media\.discordapp\.net|media\.tenor\.com|i\.imgur\.com|burger\.ctaposter\.xyz)\/.+?\.(?:png|apng|webp|svg|jpg|jpeg|gif))(?=$|\s)/gi;
-      let messageContent = content.replace(linkRegex, "<a href='$1' target='_blank'>$1</a>");
+      const hideRegex = /(https?:\/\/(?:cdn\.discordapp\.com|media\.discordapp\.net|media\.tenor\.com|i\.imgur\.com)\/.+?\.(?:png|apng|webp|svg|jpg|jpeg|gif))(?=$|\s)/gi;
+      let messageContent = content.replace(hideRegex, "");
 
-      messageParagraph.innerHTML = `${creator.username}: ${messageContent}`;
+      messageParagraph.innerText = `${creator.username}: ${messageContent}`;
       messageParagraph.classList.add("messageParagraph");
       messageParagraph.id = `messageParagraph${id}`;
       messageParagraph.appendChild(timeParagraph);