Skip to content

fix: correct HTML entity encoding and file permission mask#293

Open
Sim-hu wants to merge 1 commit intoSebOuellette:masterfrom
Sim-hu:fix/parsehtml-and-umask
Open

fix: correct HTML entity encoding and file permission mask#293
Sim-hu wants to merge 1 commit intoSebOuellette:masterfrom
Sim-hu:fix/parsehtml-and-umask

Conversation

@Sim-hu
Copy link

@Sim-hu Sim-hu commented Mar 20, 2026

Summary

Two small bug fixes: an HTML entity encoding bug and an overly permissive file permission setting.

Changes

1. Fix parseHTML() entity encoding

File: js/parseFunctions.js

- s == '<' ? '&lt;' : s == '>' ? '&gt;' : '&amp'
+ s == '<' ? '&lt;' : s == '>' ? '&gt;' : '&amp;'

The & character was being replaced with &amp (missing trailing semicolon), which is not a valid HTML entity. This could cause rendering issues in certain HTML parsers.

2. Fix process.umask(0) security issue

File: js/app.js

- process.umask(0);
+ process.umask(0o022);

process.umask(0) clears all permission restriction bits, meaning any files created by the application are readable, writable, and executable by all users on the system. Changed to the standard default umask 0o022, which restricts group/other write permissions while still allowing the application to function normally.

Test plan

  • Messages containing & characters render correctly in the UI
  • Files created by the application have expected restrictive permissions

@Sim-hu
fix: correct HTML entity encoding and file permission mask
ea7449a 
- Add missing semicolon to '&amp;' entity in parseHTML()
- Change process.umask(0) to process.umask(0o022) for safe default permissions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Sim-hu