From 4489b5a21aa7550d1bfeee1b4f3960ebc4698cb7 Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Sat, 28 Dec 2019 20:05:55 +0000
Subject: [PATCH] Escape HTML in og:description and render any html &-encoded
 entities

---
 src/components/views/rooms/LinkPreviewWidget.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/components/views/rooms/LinkPreviewWidget.js b/src/components/views/rooms/LinkPreviewWidget.js
index ee63cd1bb7..06c0201af8 100644
--- a/src/components/views/rooms/LinkPreviewWidget.js
+++ b/src/components/views/rooms/LinkPreviewWidget.js
@@ -128,15 +128,15 @@ module.exports = createReactClass({
         }
 
         const AccessibleButton = sdk.getComponent('elements.AccessibleButton');
+        // Escape </> to prevent any HTML injections, we can't replace & as the description may contain & encoded html entities
+        const safeDescription = (p["og:description"] || "").replace("<", "&lt;").replace(">", "&gt;");
         return (
             <div className="mx_LinkPreviewWidget" >
                 { img }
                 <div className="mx_LinkPreviewWidget_caption">
                     <div className="mx_LinkPreviewWidget_title"><a href={this.props.link} target="_blank" rel="noopener">{ p["og:title"] }</a></div>
                     <div className="mx_LinkPreviewWidget_siteName">{ p["og:site_name"] ? (" - " + p["og:site_name"]) : null }</div>
-                    <div className="mx_LinkPreviewWidget_description" ref={this._description}>
-                        { p["og:description"] }
-                    </div>
+                    <div className="mx_LinkPreviewWidget_description" ref={this._description} dangerouslySetInnerHTML={{ __html: safeDescription }} />
                 </div>
                 <AccessibleButton className="mx_LinkPreviewWidget_cancel" onClick={this.props.onCancelClick} aria-label={_t("Close preview")}>
                     <img className="mx_filterFlipColor" alt="" role="presentation"