mirror of
https://github.com/zulip/zulip.git
synced 2026-07-03 21:10:12 +08:00
This fixes a bundle of issues where we were missing "" around attributes coming from variables. In most cases, the variables were integers or fixed constants from the Zulip codebase (E.g. the name of an installed integration), but in at least one case it was user-provided data that could potentially have security impact.
37 lines
1.4 KiB
HTML
37 lines
1.4 KiB
HTML
<div class="message_row {% if include_sender %} include-sender {% endif %}">
|
|
<div class="messagebox">
|
|
<div class="messagebox-content">
|
|
<div class="message_top_line">
|
|
<span class="message_sender{% if status_message %} sender_info_hover{% endif %} no-select">
|
|
{% if include_sender %}
|
|
<div class="inline_profile_picture">
|
|
<img src="{{ avatar_url }}" alt="" class="no-drag"/>
|
|
</div>
|
|
{% if status_message %}
|
|
<span class="sender-status">
|
|
<span class="sender_name-in-status">{{ sender_full_name }}</span>
|
|
{% if sender_is_bot %}
|
|
<i class="zulip-icon bot" aria-hidden="true"></i>
|
|
{% endif %}
|
|
<span class="status-message">
|
|
{{ status_message }}
|
|
</span>
|
|
</span>
|
|
{% else %}
|
|
<span class="sender_name auto-select">{{ sender_full_name }}</span>
|
|
{% if sender_is_bot %}
|
|
<i class="zulip-icon bot" aria-hidden="true"></i>
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
</span>
|
|
<span class="message_time{% if status_message %} status-time{% endif %}">{{ timestampstr }}</span>
|
|
</div>
|
|
{% if not status_message %}
|
|
<div class="message_content">{{ message_content|safe }}</div>
|
|
{% endif %}
|
|
|
|
</div>
|
|
</div>
|
|
</div>
|