Escape HTML chars in composer highlights

This is very embarrassing, I know
2024-01-17 11:31:33 +08:00 · 2024-01-17 11:31:33 +08:00 · b6c4045cb4
parent 37c784dad2
commit b6c4045cb4
1 changed files with 8 additions and 1 deletions
--- a/src/components/compose.jsx
+++ b/src/components/compose.jsx
@ -133,7 +133,14 @@ const SCAN_RE = new RegExp(

 function highlightText(text, { maxCharacters = Infinity }) {
  // Accept text string, return formatted HTML string
-  let html = text;
+  // Escape all HTML special characters
+  let html = text
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+
  // Exceeded characters limit
  const { composerCharacterCount } = states;
  let leftoverHTML = '';