From 9de08c69500b4078fba07e17d711c82e241bcaaf Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Thu, 3 Nov 2016 12:33:50 +0100
Subject: [PATCH] Fix XSS in room PIN dialog

Nothing _really_ serious though, as the message was still auto-
filtered by Angular. This would not allow to load remote scripts.
As we still need to show some un-sanitized messages, we can't fix
this in alertify.js directly to force-sanitize all texts.
---
 static/js/services/roompin.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/static/js/services/roompin.js b/static/js/services/roompin.js
index 4eaa237a..a407b9a4 100644
--- a/static/js/services/roompin.js
+++ b/static/js/services/roompin.js
@@ -23,7 +23,7 @@
 define([
 ], function() {
 
-	return ["$window", "$q", "alertify", "translation", function($window, $q, alertify, translation) {
+	return ["$window", "$q", "alertify", "translation", "safeMessage", function($window, $q, alertify, translation, safeMessage) {
 
 		var pinCache = {};
 		var roompin = {
@@ -38,15 +38,15 @@ define([
 			update: function(roomName, pin) {
 				if (pin) {
 					pinCache[roomName] = pin;
-					alertify.dialog.alert(translation._("PIN for room %s is now '%s'.", roomName, pin));
+					alertify.dialog.alert(translation._("PIN for room %s is now '%s'.", safeMessage(roomName), safeMessage(pin)));
 				} else {
 					roompin.clear(roomName);
-					alertify.dialog.alert(translation._("PIN lock has been removed from room %s.", roomName));
+					alertify.dialog.alert(translation._("PIN lock has been removed from room %s.", safeMessage(roomName)));
 				}
 			},
 			requestInteractively: function(roomName) {
 				var deferred = $q.defer();
-				alertify.dialog.prompt(translation._("Enter the PIN for room %s", roomName), function(pin) {
+				alertify.dialog.prompt(translation._("Enter the PIN for room %s", safeMessage(roomName)), function(pin) {
 					if (pin) {
 						pinCache[roomName] = pin;
 						deferred.resolve();