From dfbd1290de7ca21e6e4c814931b731c35eccc4e7 Mon Sep 17 00:00:00 2001
From: Ralf Stockmann <rstockm@gmail.com>
Date: Fri, 26 May 2023 10:12:47 +0200
Subject: [PATCH] Update script.js

- Added DOMpurify to username, post content and spoiler content to prevent malicious input
---
 script.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/script.js b/script.js
index d6058e7..7b106c5 100644
--- a/script.js
+++ b/script.js
@@ -77,11 +77,11 @@ const displayPost = function(post) {
             <div class="card m-2 p-2">
                 <div class="d-flex align-items-center mb-2">
                     <img src="${post.account.avatar}" class="avatar-img rounded-circle mr-2">
-                    <p class="m-0">${post.account.display_name}</p>
+                    <p class="m-0">${DOMPurify.sanitize(post.account.display_name)}</p>
                 </div>
                 ${post.media_attachments[0] ? `<img src="${post.media_attachments[0].url}" class="card-img-top mb-2">` : ''}
-                <p class="card-text">${post.content}</p>
-                ${post.spoiler_text ? `<p class="card-text text-muted spoiler">${post.spoiler_text}</p>` : ''}
+                <p class="card-text">${DOMPurify.sanitize(post.content)}</p>
+                ${post.spoiler_text ? `<p class="card-text text-muted spoiler">${DOMPurify.sanitize(post.spoiler_text)}</p>` : ''}
                 <p class="card-text text-right"><small class="text-muted"><a href="${post.url}" target="_blank" data-time="${post.created_at}">${timeAgo(secondsAgo(new Date(post.created_at)))}</a></small></p>
             </div>
         </div>