From 54e12db08b0e853e960a7240e21ac89adaf42e97 Mon Sep 17 00:00:00 2001
From: Cutls <web-pro@cutls.com>
Date: Fri, 12 Apr 2019 23:12:57 +0900
Subject: [PATCH] Fix XSS

---
 app/js/tl/parse.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/js/tl/parse.js b/app/js/tl/parse.js
index 05e97ecd..490c7ef1 100644
--- a/app/js/tl/parse.js
+++ b/app/js/tl/parse.js
@@ -475,7 +475,7 @@ function parse(obj, mix, acct_id, tlid, popup, mutefilter, type) {
 		}else{
 			var nicoemojick=false;
 		}
-		//絵文字があれば
+		//絵文字があれば(nico)
 		if (nicoemojick) {
 			Object.keys(toot.profile_emojis).forEach(function(keynico) {
 				var emoji = toot.profile_emojis[keynico];
@@ -734,7 +734,7 @@ function parse(obj, mix, acct_id, tlid, popup, mutefilter, type) {
 				}
 				poll=poll+'<div class="'+voteclass+' vote vote_'+acct_id+'_'+toot.poll.id+'_'+keyc+'" onclick="'+votesel+'">'+choice.title+'<span class="vote_'+acct_id+'_'+toot.poll.id+'_result '+result_hide+'">('+choice.votes_count+')</span></div>';
 			});
-			poll='<div class="vote_'+acct_id+'_'+toot.poll.id+'">'+poll+myvote+'<span class="cbadge cbadge-hover" title="' + date(toot.poll.expires_at, 'absolute') +
+			poll='<div class="vote_'+acct_id+'_'+toot.poll.id+'">'+strip_tags(poll)+myvote+'<span class="cbadge cbadge-hover" title="' + date(toot.poll.expires_at, 'absolute') +
 			'"><i class="fa fa-calendar-times-o"></i>' +
 			 ended+ '</span></div>';
 		}