From 0afa7bc1843eda185425fe2f91409cc9144abcf2 Mon Sep 17 00:00:00 2001
From: David Cormier <david.cormier@erudit.org>
Date: Fri, 16 Oct 2015 15:13:53 -0400
Subject: [PATCH] plugins: sanitize user input before passing it to plugins

---
 js/plugins.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/js/plugins.js b/js/plugins.js
index 18aa5de..6717fe2 100644
--- a/js/plugins.js
+++ b/js/plugins.js
@@ -57,7 +57,7 @@ var UrlPlugin = function(name, urlCallback) {
  * to display when messages are received.
  *
  */
-plugins.service('plugins', ['userPlugins', '$sce', function(userPlugins, $sce) {
+    plugins.service('plugins', ['userPlugins', '$sce', '$sanitize', function(userPlugins, $sce, $sanitize) {
 
     /*
      * Defines the plugin manager object
@@ -85,7 +85,7 @@ plugins.service('plugins', ['userPlugins', '$sce', function(userPlugins, $sce) {
          */
         var contentForMessage = function(message) {
             message.metadata = [];
-
+            message.text = $sanitize(message.text);
             var addPluginContent = function(content, pluginName, num) {
                 if (num) {
                     pluginName += " " + num;
@@ -110,7 +110,9 @@ plugins.service('plugins', ['userPlugins', '$sce', function(userPlugins, $sce) {
                     nsfw = true;
                 }
 
-                var pluginContent = plugins[i].contentForMessage(message.text);
+                var pluginContent = plugins[i].contentForMessage(
+                    message.text
+                );
                 if (pluginContent && pluginContent !== []) {
 
                     if (pluginContent instanceof Array) {