Escape username

In case of guest users it was possible to inject html.

Change-Id: I642de3efa0fa03cd2a8d63834605f46eacd0f464
Reviewed-on: https://gerrit.libreoffice.org/69410
Reviewed-by: Szymon Kłos <szymon.klos@collabora.com>
Tested-by: Szymon Kłos <szymon.klos@collabora.com>
(cherry picked from commit 3084565981d85d5734436c3411266c529ad5d879)
(cherry picked from commit 7176214de3177ad3ecc2f79871cca686e2683ea3)
Reviewed-on: https://gerrit.libreoffice.org/69422
Reviewed-by: Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de>
Tested-by: Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de>

1 files changed, 6 insertions, 2 deletions

diff --git a/loleaflet/js/toolbar.js b/loleaflet/js/toolbar.js
index f179bff595..56e5cc52aa 100644
--- a/loleaflet/js/toolbar.js
+++ b/loleaflet/js/toolbar.js
@@ -1530,11 +1530,16 @@ function updateUserListCount() {
 	$('#zoomlevel').html(zoomlevel);
 }
 
+function escapeHtml(input) {
+	return $('<div>').text(input).html();
+}
+
 function onAddView(e) {
+	var username = escapeHtml(e.username);
 	$('#tb_toolbar-down_item_userlist')
 		.w2overlay({
 			class: 'loleaflet-font',
-			html: userJoinedPopupMessage.replace('%user', e.username),
+			html: userJoinedPopupMessage.replace('%user', username),
 			style: 'padding: 5px'
 		});
 	clearTimeout(userPopupTimeout);
@@ -1544,7 +1549,6 @@ function onAddView(e) {
 		userPopupTimeout = null;
 	}, 3000);
 
-	var username = e.username;
 	var color = L.LOUtil.rgbToHex(map.getViewColor(e.viewId));
 	if (e.viewId === map._docLayer._viewId) {
 		username = _('You');