mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-30 05:05:27 -05:00
7f7b10aa09
When showing system-messages, use default Angular sanitizer, also, on the admin panel itself, show the verbatim text of the message. This solves a mild Stored-XSS vulnerability whereby a user could put `<script>` tags in a message. We don't want that, but we do want to be able to use basic html tags.
13 lines
432 B
CoffeeScript
13 lines
432 B
CoffeeScript
define [
|
|
"base"
|
|
], (App) ->
|
|
App.controller "SystemMessagesController", ($scope) ->
|
|
$scope.messages = window.systemMessages;
|
|
|
|
App.controller "SystemMessageController", ($scope, $sce) ->
|
|
$scope.hidden = $.localStorage("systemMessage.hide.#{$scope.message._id}")
|
|
$scope.htmlContent = $scope.message.content
|
|
|
|
$scope.hide = () ->
|
|
$scope.hidden = true
|
|
$.localStorage("systemMessage.hide.#{$scope.message._id}", true)
|