From 9fe43ae49757a99d2a0043fb2ac1e765ae5cecc3 Mon Sep 17 00:00:00 2001
From: Mystikfluu <Mystikfluu@gmail.com>
Date: Tue, 5 Jul 2022 14:27:04 +0200
Subject: [PATCH] removed 2 arguments for reply function this will add stronger
 protection against xss attacks

---
 js/posts.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/js/posts.js b/js/posts.js
index 5bf3dc7..3135098 100644
--- a/js/posts.js
+++ b/js/posts.js
@@ -112,7 +112,7 @@ async function createPost(username,text,time,specialtext,postid,isbot,reply_id)
   }
   newP.appendChild(spacerTextNode())
   // |\>.</|
-  newP.innerHTML += `<button onclick="reply('${username}',${postid},\`${htmlesc(htmlesc(escape_special(escape_special(text))))}\`)">Reply to this Post</button>`
+  newP.innerHTML += `<button onclick="reply(${postid})">Reply to this Post</button>`
 
   if(reply_id != 0) {
     try {
@@ -179,10 +179,13 @@ async function main(){
   document.getElementById("scriptonly").style = ""
 }
 
-function reply(username,postid,posttext) {
+async function reply(postid) {
+  let post = await(await fetch("/api/getPost?id="+postid)).json()
+  let username = post.post_user_name
+  let posttext = post.post_text
   document.getElementById("reply").style = ""
-  document.getElementById("reply_username").innerText = username
-  document.getElementById("reply_text").innerHTML = filterPost(unescape(unescape_special(unescape_special(posttext))))
+  document.getElementById("reply_username").innerText = decodeURIComponent(username)
+  document.getElementById("reply_text").innerHTML = filterPost(decodeURIComponent(posttext))
   reply_id = postid
 }