fix(preferences(js)): sanitize content of toast

Sanitize subject and sender of message when using $mdToast to alert user of new messages. Fixes #5178
2020-09-30 14:14:24 -04:00 · 2020-09-30 14:14:24 -04:00 · 712d0f4ef1
parent ec1a01e316
commit 712d0f4ef1
1 changed files with 10 additions and 6 deletions
--- a/UI/WebServerResources/js/Preferences/Preferences.service.js
+++ b/UI/WebServerResources/js/Preferences/Preferences.service.js
@ -417,16 +417,18 @@
            }
            else {
              toast = {
+                locals: {
+                  title: headers[subjectHeaderIndex],
+                  body: headers[fromHeaderIndex][0].name || headers[fromHeaderIndex][0].email
+                },
                template: [
                  '<md-toast role="alert">',
                  '  <div class="md-toast-content">',
                  '    <div layout="row" layout-align="start center" flex>',
                  '      <md-icon class="md-primary md-hue-1">email</md-icon>',
                  '      <div class="sg-padded--left">',
-                  headers[subjectHeaderIndex],
-                  '        <div class="sg-hint">',
-                  headers[fromHeaderIndex][0].name || headers[fromHeaderIndex][0].email,
-                  '        </div>',
+                  '        <span md-truncate ng-bind="title"></span>',
+                  '        <div class="sg-hint" md-truncate ng-bind="body"></div>',
                  '      </div>',
                  '      <div flex></div>',
                  '      <md-button ng-click="close()">',
@ -470,8 +472,10 @@
    /**
     * @ngInject
     */
-    toastController.$inject = ['scope', '$mdToast'];
-    function toastController (scope, $mdToast) {
+    toastController.$inject = ['scope', '$mdToast', 'title', 'body'];
+    function toastController (scope, $mdToast, title, body) {
+      scope.title = title;
+      scope.body = body;
      scope.close = function() {
        $mdToast.hide('ok');
      };