overleaf/services/web/public/coffee/main/system-messages.coffee
Shane Kilkelly 7f7b10aa09 Sanitize display of system messages.
When showing system-messages, use default Angular sanitizer, also,
on the admin panel itself, show the verbatim text of the message.

This solves a mild Stored-XSS vulnerability whereby a user could
put `<script>` tags in a message. We don't want that, but we do want
to be able to use basic html tags.
2018-08-22 10:15:50 +01:00

13 lines
432 B
CoffeeScript

define [
"base"
], (App) ->
App.controller "SystemMessagesController", ($scope) ->
$scope.messages = window.systemMessages;
App.controller "SystemMessageController", ($scope, $sce) ->
$scope.hidden = $.localStorage("systemMessage.hide.#{$scope.message._id}")
$scope.htmlContent = $scope.message.content
$scope.hide = () ->
$scope.hidden = true
$.localStorage("systemMessage.hide.#{$scope.message._id}", true)