From 6426157bb347f93a2fffd0aab6ae0644916f88a5 Mon Sep 17 00:00:00 2001 From: azivner Date: Thu, 28 Dec 2017 19:00:31 -0500 Subject: [PATCH] title in fancytree needs to be escaped for HTML special characters --- public/javascripts/note_tree.js | 4 +++- public/javascripts/tree_utils.js | 2 +- public/javascripts/utils.js | 4 ++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/public/javascripts/note_tree.js b/public/javascripts/note_tree.js index 169db866d..57c93e1f9 100644 --- a/public/javascripts/note_tree.js +++ b/public/javascripts/note_tree.js @@ -186,13 +186,15 @@ const noteTree = (function() { const noteTreeId = getNoteTreeId(parentNoteId, noteId); const noteTree = notesTreeMap[noteTreeId]; + const title = (noteTree.prefix ? (noteTree.prefix + " - ") : "") + noteIdToTitle[noteTree.note_id]; + const node = { note_id: noteTree.note_id, parent_note_id: noteTree.parent_note_id, note_tree_id: noteTree.note_tree_id, is_protected: noteTree.is_protected, prefix: noteTree.prefix, - title: (noteTree.prefix ? (noteTree.prefix + " - ") : "") + noteIdToTitle[noteTree.note_id], + title: escapeHtml(title), extraClasses: getExtraClasses(noteTree), refKey: noteTree.note_id, expanded: noteTree.is_expanded diff --git a/public/javascripts/tree_utils.js b/public/javascripts/tree_utils.js index 673eaf9fc..1d9813e09 100644 --- a/public/javascripts/tree_utils.js +++ b/public/javascripts/tree_utils.js @@ -37,7 +37,7 @@ const treeUtils = (function() { const title = (prefix ? (prefix + " - ") : "") + noteTitle; - node.setTitle(title); + node.setTitle(escapeHtml(title)); } return { diff --git a/public/javascripts/utils.js b/public/javascripts/utils.js index 1f67844ad..1b390d130 100644 --- a/public/javascripts/utils.js +++ b/public/javascripts/utils.js @@ -93,4 +93,8 @@ function isTopLevelNode(node) { function isRootNode(node) { return node.key === "root_1"; +} + +function escapeHtml(str) { + return $('
').text(str).html(); } \ No newline at end of file