diff --git a/src/components/views/rooms/LinkPreviewWidget.js b/src/components/views/rooms/LinkPreviewWidget.js index ee63cd1bb7..06c0201af8 100644 --- a/src/components/views/rooms/LinkPreviewWidget.js +++ b/src/components/views/rooms/LinkPreviewWidget.js @@ -128,15 +128,15 @@ module.exports = createReactClass({ } const AccessibleButton = sdk.getComponent('elements.AccessibleButton'); + // Escape > to prevent any HTML injections, we can't replace & as the description may contain & encoded html entities + const safeDescription = (p["og:description"] || "").replace("<", "<").replace(">", ">"); return (