diff --git a/web_src/js/features/contextpopup.js b/web_src/js/features/contextpopup.js index a9a0ceee3..c16820cf1 100644 --- a/web_src/js/features/contextpopup.js +++ b/web_src/js/features/contextpopup.js @@ -1,3 +1,4 @@ +import {htmlEscape} from 'escape-goat'; import {svg} from '../svg.js'; const {AppSubUrl} = window.config; @@ -31,7 +32,7 @@ function issuePopup(owner, repo, index, $element) { if ((red * 0.299 + green * 0.587 + blue * 0.114) > 125) { color = '#000000'; } - labels += `
${label.name}
`; + labels += `
${htmlEscape(label.name)}
`; } if (labels.length > 0) { labels = `

${labels}

`; @@ -64,9 +65,9 @@ function issuePopup(owner, repo, index, $element) { }, html: `
-

${issue.repository.full_name} on ${createdAt}

-

${svg(octicon)} ${issue.title} #${index}

-

${body}

+

${htmlEscape(issue.repository.full_name)} on ${createdAt}

+

${svg(octicon)} ${htmlEscape(issue.title)} #${index}

+

${htmlEscape(body)}

${labels}
`