diff --git a/src/backend/matrix_client.py b/src/backend/matrix_client.py
index cd32f3c0..b4b7c8c6 100644
--- a/src/backend/matrix_client.py
+++ b/src/backend/matrix_client.py
@@ -1069,7 +1069,7 @@ class MatrixClient(nio.AsyncClient):
f"%1's {kind} was removed by %2"
if reason:
- content = f"{content}, reason: {reason}"
+ content = f"{content}, reason: {html.escape(reason)}"
return content
diff --git a/src/backend/nio_callbacks.py b/src/backend/nio_callbacks.py
index 5e5eec58..7f3a5515 100644
--- a/src/backend/nio_callbacks.py
+++ b/src/backend/nio_callbacks.py
@@ -4,6 +4,7 @@ import json
import logging as log
from dataclasses import dataclass, field
from datetime import datetime
+from html import escape
from typing import TYPE_CHECKING, Optional, Tuple
from urllib.parse import quote
@@ -159,7 +160,7 @@ class NioCallbacks:
async def onRoomMessageUnknown(
self, room: nio.MatrixRoom, ev: nio.RoomMessageUnknown,
) -> None:
- co = f"%1 sent an unsupported {ev.msgtype} message"
+ co = f"%1 sent an unsupported {escape(ev.msgtype)} message"
await self.client.register_nio_event(room, ev, content=co)
@@ -333,7 +334,9 @@ class NioCallbacks:
if self.client.backend.ui_settings["hideMembershipEvents"]:
return None
- reason = f", reason: {now['reason']}" if now.get("reason") else ""
+ reason = escape(
+ f", reason: {now['reason']}" if now.get("reason") else "",
+ )
if membership == "join":
return (
@@ -378,8 +381,8 @@ class NioCallbacks:
if prev and now.get("displayname") != prev.get("displayname"):
changed.append('display name from "{}" to "{}"'.format(
- prev.get("displayname") or ev.state_key,
- now.get("displayname") or ev.state_key,
+ escape(prev.get("displayname") or ev.state_key),
+ escape(now.get("displayname") or ev.state_key),
))
if changed:
@@ -435,7 +438,7 @@ class NioCallbacks:
) -> None:
if ev.canonical_alias:
url = f"https://matrix.to/#/{quote(ev.canonical_alias)}"
- link = f"{ev.canonical_alias}"
+ link = f"{escape(ev.canonical_alias)}"
co = f"%1 set the room's main address to {link}"
else:
co = "%1 removed the room's main address"
@@ -447,7 +450,7 @@ class NioCallbacks:
self, room: nio.MatrixRoom, ev: nio.RoomNameEvent,
) -> None:
if ev.name:
- co = f"%1 changed the room's name to \"{ev.name}\""
+ co = f"%1 changed the room's name to \"{escape(ev.name)}\""
else:
co = "%1 removed the room's name"
@@ -498,7 +501,7 @@ class NioCallbacks:
async def onBadEvent(
self, room: nio.MatrixRoom, ev: nio.BadEvent,
) -> None:
- co = f"%1 sent a malformed {ev.type} event"
+ co = f"%1 sent a malformed {escape(ev.type)} event"
await self.client.register_nio_event(room, ev, content=co)
@@ -516,7 +519,7 @@ class NioCallbacks:
await self.client.register_nio_room(room)
return
- co = f"%1 sent an unsupported {ev.type} event"
+ co = f"%1 sent an unsupported {escape(ev.type)} event"
await self.client.register_nio_event(room, ev, content=co)
@@ -524,8 +527,8 @@ class NioCallbacks:
self, room: nio.MatrixRoom, ev: nio.UnknownEncryptedEvent,
) -> None:
co = (
- f"%1 sent an {ev.type} event encrypted with "
- f"unsupported {ev.algorithm} algorithm"
+ f"%1 sent an {escape(ev.type)} event encrypted with "
+ f"unsupported {escape(ev.algorithm)} algorithm"
)
await self.client.register_nio_event(room, ev, content=co)