web: fix sanitization

web/js/ui/fmt.js

@@ -31,7 +31,7 @@ function format_content(ev, show_media) {
 			return "❤️"
 		return sanitize(ev.content.trim());
 	}
-	const content = sanitize(ev.content.trim());
+	const content = ev.content.trim();
 	const body = convert_quote_blocks(content, show_media)
 	let cw = get_content_warning(ev.tags)
 	if (cw !== null) {
@@ -39,9 +39,9 @@ function format_content(ev, show_media) {
 		if (cw === "") {
 			cwHTML += "."
 		} else {
-			cwHTML += `: "<span>${cw}</span>".`
+			cwHTML += html`: "<span>${cw}</span>".`
 		}
-		return `
+		return html`
 		<details class="cw">
 		  <summary class="event-message">${cwHTML}</summary>
 		  ${body}
@@ -78,16 +78,12 @@ function convert_quote_blocks(content, show_media)
  * the profile.
  */
 function fmt_profile_name(profile={}, fallback="Anonymous") {
-	if (profile.sanitized_name)
-		return profile.sanitized_name
 	const name = profile.display_name || profile.user || profile.name || 
 		fallback	
-	profile.sanitized_name = sanitize(name)
+	return html`${name}`;
-	return profile.sanitized_name
 }
 
 function fmt_pubkey(pk) {
 	return pk.slice(-8)
 }
 
-

web/js/ui/render.js

@@ -73,7 +73,7 @@ function render_replying_to(model, ev) {
 	const names = pubkeys.map((pk) => {
 		return render_mentioned_name(pk, model.profiles[pk]);
 	}).join(", ")
-	return html`
+	return `
 	<span class="replying-to small-txt">
 		replying to ${names}
 	</span>
@@ -100,23 +100,23 @@ function render_comment_body(model, ev, opts) {
 	// Only show media for content that is by friends.
 	const show_media = !opts.is_composing &&  
 		model.contacts.friends.has(ev.pubkey); 
-	return html`
+	return `
 	<div>
-	$${render_replying_to(model, ev)}
+	${render_replying_to(model, ev)}
-	$${render_shared_by(ev, opts)}
+	${render_shared_by(ev, opts)}
 	</div>
 	<p>
-	$${format_content(ev, show_media)}
+	${format_content(ev, show_media)}
 	</p>
-	$${render_reactions(model, ev)}
+	${render_reactions(model, ev)}
-	$${bar}`
+	${bar}`
 }
 
 function render_shared_by(ev, opts) {
 	if (!opts.shared)
 		return "";
 	const { profile, pubkey } = opts.shared
-	return html`<div class="shared-by">Shared by $${render_name(pubkey, profile)}
+	return `<div class="shared-by">Shared by ${render_name(pubkey, profile)}
 		</div>`
 }
 
@@ -254,7 +254,7 @@ function render_reactions_inner(model, ev) {
 }
 
 function render_reactions(model, ev) {
-	return html`<div class="reactions">${render_reactions_inner(model, ev)}</div>`
+	return html`<div class="reactions">$${render_reactions_inner(model, ev)}</div>`
 }
 
 // Utility Methods
@@ -281,11 +281,11 @@ function render_name(pk, profile, prefix="") {
 
 function render_pfp(pk, profile, opts={}) {
 	const name = fmt_profile_name(profile, fmt_pubkey(pk));
-	let str = `class="pfp clickable" onclick="open_profile('${pk}')"`;
+	let str = html`class="pfp clickable" onclick="open_profile('${pk}')"`;
 	if (opts.noclick)
 		str = "class='pfp'";
 	return html`<img 
-	${str}
+	$${str}
 	data-pubkey="${pk}" 
 	title="${name}" 
 	onerror="this.onerror=null;this.src='${robohash(pk)}';" 

web/js/ui/state.js

@@ -109,14 +109,16 @@ function view_timeline_update(model) {
 		// find prior event element and insert it before that
 		let prior_el;
 		let prior_idx = arr_bsearch_insert(all, ev, event_cmp_created);
-		while (prior_idx > 0 && !prior_el) {
+		while (prior_idx >= 0 && !prior_el) {
 			prior_el = find_node("#ev"+all[prior_idx].id, el);
 			prior_idx--;
 		}
-		if (!prior_el) {
+		if (prior_el) {
+			el.insertBefore(ev_el, prior_el);
+		} else if (el.childElementCount == 0) {
 			el.appendChild(ev_el);
 		} else {
-			el.insertBefore(ev_el, prior_el);
+			left_overs.push(evid);
 		}
 	}
 	model.invalidated = model.invalidated.concat(left_overs);