From e9cf2a8580ed00a668350e4654764dfd308826d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren=20Weber?= <mail@soeren-weber.de>
Date: Tue, 12 Oct 2021 16:32:45 +0200
Subject: [PATCH] security: fix XSS for malicioius image URLs #117

---
 static/js/relearn.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/static/js/relearn.js b/static/js/relearn.js
index 7362f91873..599c0e6b44 100644
--- a/static/js/relearn.js
+++ b/static/js/relearn.js
@@ -148,7 +148,8 @@ images.wrap(function(){
     // IF featherlight is false, do not use feather light
     if (f != 'false') {
         if (!image.parent("a").length) {
-            return "<a href='" + image[0].src + "' data-featherlight='image'></a>";
+            var html = $( "<a>" ).attr("href", image[0].src).attr("data-featherlight", "image").get(0).outerHTML;
+            return html;
         }
     }
 });