escape teaser content

8 years ago · df069ee78d
parent 8ff9fe34ee
commit df069ee78d
1 changed files with 2 additions and 0 deletions
--- a/src/messaging.js
+++ b/src/messaging.js
@ -3,6 +3,7 @@

 var async = require('async');
 var S = require('string');
+var validator = require('validator');

 var db = require('./database');
 var user = require('./user');
@ -211,6 +212,7 @@ Messaging.getTeaser = function (uid, roomId, callback) {
 			}
 			if (teaser.content) {
 				teaser.content = S(teaser.content).stripTags().decodeHTMLEntities().s;
+				teaser.content = validator.escape(String(teaser.content));
 			}

 			teaser.timestampISO = utils.toISOString(teaser.timestamp);