From: Anon <makotech222@users.noreply.github.com>
Date: Mon, 10 Jul 2023 11:37:07 +0000 (-0500)
Subject: Fix XSS vuln (#1897)
X-Git-Url: http://these/git/%22%7Burl%7D/%7BdonateLemmyUrl%7D?a=commitdiff_plain;h=e80bcf53acb8ce25ed5ef6b7eb16b90f0b07e8f1;p=lemmy-ui.git

Fix XSS vuln (#1897)
---

diff --git a/src/shared/markdown.ts b/src/shared/markdown.ts
index 85aa8ee..33afd71 100644
--- a/src/shared/markdown.ts
+++ b/src/shared/markdown.ts
@@ -188,13 +188,16 @@ export function setupMarkdown() {
     //Provide custom renderer for our emojis to allow us to add a css class and force size dimensions on them.
     const item = tokens[idx] as any;
     const title = item.attrs.length >= 3 ? item.attrs[2][1] : "";
-    const src: string = item.attrs[0][1];
-    const isCustomEmoji = customEmojisLookup.get(title) != undefined;
+    const customEmoji = customEmojisLookup.get(title);
+    const isCustomEmoji = customEmoji != undefined;
     if (!isCustomEmoji) {
       return defaultRenderer?.(tokens, idx, options, env, self) ?? "";
     }
-    const alt_text = item.content;
-    return `<img class="icon icon-emoji" src="${src}" title="${title}" alt="${alt_text}"/>`;
+    return `<img class="icon icon-emoji" src="${
+      customEmoji!.custom_emoji.image_url
+    }" title="${customEmoji!.custom_emoji.shortcode}" alt="${
+      customEmoji!.custom_emoji.alt_text
+    }"/>`;
   };
   md.renderer.rules.table_open = function () {
     return '<table class="table">';