Merge pull request #722 from OpenClinica/fix/html-encoding-dn-718

fixed: dn comments are not HTML encoded, kobotoolbox#718
OpenClinica · Nov 15, 2023 · bf5e723 · bf5e723
2 parents b9eb532 + 8e44738
commit bf5e723
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/widget/discrepancy-note/dn-widget.js b/widget/discrepancy-note/dn-widget.js
@@ -1585,6 +1585,20 @@ class Comment extends Widget {
         }
     }
 
+    _encodeHtml(str) {
+        return str.replace(
+            /[&<>'"]/g,
+            (tag) =>
+                ({
+                    '&': '&amp;',
+                    '<': '&lt;',
+                    '>': '&gt;',
+                    "'": '&#39;',
+                    '"': '&quot;',
+                }[tag])
+        );
+    }
+
     _getHistoryRow(item, options = {}) {
         const types = {
             comment: '<span class="icon fa-comment-o"> </span>',
@@ -1638,7 +1652,9 @@ class Comment extends Widget {
                         types[item.type]
                     }</span>
                     <span class="or-comment-widget__content__history__row__main__comment">
-                        <span class="or-comment-widget__content__history__row__main__comment__text">${msg}</span>
+                        <span class="or-comment-widget__content__history__row__main__comment__text">${this._encodeHtml(
+                            msg
+                        )}</span>
                         <span class="or-comment-widget__content__history__row__main__comment__meta">
                             ${
                                 assignee