From d7442739b5489a947cf525513d96db9985035ae3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jespinog@gmail.com>
Date: Fri, 18 Jun 2021 16:46:57 +0200
Subject: [PATCH] Fixing MM-36062 another detail

---
 webapp/src/utils.test.ts | 2 +-
 webapp/src/utils.ts      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/webapp/src/utils.test.ts b/webapp/src/utils.test.ts
index 0adb89cf3..c07aba6a9 100644
--- a/webapp/src/utils.test.ts
+++ b/webapp/src/utils.test.ts
@@ -29,7 +29,7 @@ describe('utils', () => {
         test('should not allow XSS on links href on the desktop app', () => {
             const windowAsAny = window as any
             windowAsAny.openInNewBrowser = () => null
-            const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(&quot;%22xss-attack=%22true%22other=%22whatever&quot;);"></a></p>'
+            const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);"></a></p>'
             expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe(expectedHtml)
             windowAsAny.openInNewBrowser = null
         })
diff --git a/webapp/src/utils.ts b/webapp/src/utils.ts
index 4e7b40b86..ef2860399 100644
--- a/webapp/src/utils.ts
+++ b/webapp/src/utils.ts
@@ -113,7 +113,7 @@ class Utils {
         // HACKHACK: Somehow, marked doesn't encode angle brackets
         const renderer = new marked.Renderer()
         if ((window as any).openInNewBrowser) {
-            renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(&quot;${encodeURI(href || '')}&quot;);">${contents}</a>`
+            renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);">${contents}</a>`
         }
         const html = marked(text.replace(/</g, '&lt;'), {renderer, breaks: true})
         return html.trim()