chat: Use jQuery to build the chat message DOM object

This reduces the likelihood of accidentally introducing an XSS
vulnerability.

src/static/js/chat.js

@@ -164,15 +164,22 @@ exports.chat = (() => {
       // Call chat message hook
       hooks.aCallAll('chatNewMessage', ctx, () => {
         const cls = authorClass(ctx.author);
-        const html =
+        const chatMsg = $('<p>')
-            `<p data-authorId='${padutils.escapeHtml(ctx.author)}' class='${cls}'>` +
+            .attr('data-authorId', ctx.author)
-            `<b>${padutils.escapeHtml(ctx.authorName)}:</b>` +
+            .addClass(cls)
-            // ctx.text was HTML-escaped before calling the hook, and ctx.timeStr couldn't have had
+            .append($('<b>').text(`${ctx.authorName}:`))
-            // any HTML. Hook functions are trusted to not introduce an XSS vulnerability by adding
+            .append($('<span>')
-            // unescaped user input to either ctx.text or ctx.timeStr.
+                .addClass('time')
-            `<span class='time ${cls}'>${ctx.timeStr}</span> ${ctx.text}</p>`;
+                .addClass(cls)
-        if (isHistoryAdd) $(html).insertAfter('#chatloadmessagesbutton');
+                // Hook functions are trusted to not introduce an XSS vulnerability by adding
-        else $('#chattext').append(html);
+                // unescaped user input to ctx.timeStr.
+                .html(ctx.timeStr))
+            .append(' ')
+            // ctx.text was HTML-escaped before calling the hook. Hook functions are trusted to not
+            // introduce an XSS vulnerability by adding unescaped user input.
+            .append($('<div>').html(ctx.text).contents());
+        if (isHistoryAdd) chatMsg.insertAfter('#chatloadmessagesbutton');
+        else $('#chattext').append(chatMsg);
 
         // should we increment the counter??
         if (increment && !isHistoryAdd) {