Ensure any html in changelog is escaped before displaying

2023-10-10 13:36:53 +02:00 · 2021-06-29 13:58:24 +01:00 · 2021-06-29 13:58:24 +01:00 · fa4b7a1a69
commit fa4b7a1a69
parent 977dfe700b
2 changed files with 3 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -45,7 +45,7 @@ Editor
 - Update Node-RED Function typings in Monaco (#3008) @Steve-Mcl
 - Add css named variables for certain key colours (#2994) @knolleary
 - Improve contrast of export dialog JSON font color
- - Switch editableList buttons from \<a\> to \<button\> elements
+ - Switch editableList buttons from <a> to <button> elements
 - Add option to RED.nodes.createCompleteNodeSet to include node dimensions
 - Fix css of node help table of contents elements
 - Improve red-ui-node-icon css and add red-ui-node-icon-small modifier class
--- a/packages/node_modules/@node-red/editor-client/src/js/red.js
+++ b/packages/node_modules/@node-red/editor-client/src/js/red.js
@ -540,6 +540,8 @@ var RED = (function() {

    function showAbout() {
        $.get('red/about', function(data) {
+            // data will be strictly markdown. Any HTML should be escaped.
+            data = RED.utils.sanitize(data);
            var aboutHeader = '<div style="text-align:center;">'+
            '<img width="50px" src="red/images/node-red-icon.svg" />'+
            '</div>';