diff --git a/src/js/controller/write.js b/src/js/controller/write.js
index 7a2086a..ee6af32 100644
--- a/src/js/controller/write.js
+++ b/src/js/controller/write.js
@@ -39,7 +39,7 @@ define(function(require) {
}
function fillFields(re) {
- var from, body, bodyRows;
+ var from, body;
if (!re) {
return;
@@ -53,12 +53,13 @@ define(function(require) {
// fill text body
from = re.from[0].name || re.from[0].address;
- body = '
' + $filter('date')(re.sentDate, 'EEEE, MMM d, yyyy h:mm a') + ' ' + from + ' wrote:';
- bodyRows = re.body.split('\n');
- bodyRows.forEach(function(row) {
- body += (!re.html) ? '
' + row : '';
- });
- $scope.body = body;
+ body = '
' + $filter('date')(re.sentDate, 'EEEE, MMM d, yyyy h:mm a') + ' ' + from + ' wrote:
';
+
+ // clean text from markup if to prevent injection in contenteditable
+ if (!re.html) {
+ body += $('
' + re.body + '
').text().split('\n').join('' + text + '
'; - return $(html).text(); + return $('' + text + '
').text(); } //