fixup: escape Wikipedia HTML, just in case

2025-04-29 03:42:37 +02:00 · 2024-12-17 18:49:49 +01:00 · 2024-12-17 18:49:49 +01:00 · 92df1d792a
commit 92df1d792a
parent 6e5540fe79
2 changed files with 3 additions and 1 deletions
--- a/umap/static/umap/js/modules/rendering/template.js
+++ b/umap/static/umap/js/modules/rendering/template.js
@ -271,7 +271,7 @@ class Wikipedia extends PopupTemplate {
      const extract = page.extract || ''
      const thumbnail = page.thumbnail?.source
      const [content, { image }] = Utils.loadTemplateWithRefs(
-        `<div><h3>${title}</h3><img data-ref="image" hidden src="" />${extract}</div>`
+        `<div><h3>${Utils.escapeHTML(title)}</h3><img data-ref="image" hidden src="" />${Utils.escapeHTML(extract)}</div>`
      )
      if (thumbnail) {
        image.src = thumbnail
--- a/umap/static/umap/js/modules/utils.js
+++ b/umap/static/umap/js/modules/utils.js
@ -115,6 +115,8 @@ export function escapeHTML(s) {
      'span',
      'dt',
      'dd',
+      'b',
+      'i',
    ],
    ADD_ATTR: [
      'target',