From 02d1369d5b2595501d1c23b51954fd1e945dba18 Mon Sep 17 00:00:00 2001
From: bartbutenaers <bart.butenaers@gmail.com>
Date: Tue, 23 Feb 2021 00:00:23 +0100
Subject: [PATCH] Escape all user input

---
 .../src/js/ui/common/editableList.js          | 24 +++++++++----------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/packages/node_modules/@node-red/editor-client/src/js/ui/common/editableList.js b/packages/node_modules/@node-red/editor-client/src/js/ui/common/editableList.js
index d65a4f9fd..7f823289e 100644
--- a/packages/node_modules/@node-red/editor-client/src/js/ui/common/editableList.js
+++ b/packages/node_modules/@node-red/editor-client/src/js/ui/common/editableList.js
@@ -94,19 +94,7 @@
             }
 
             buttons.forEach(function(button) {
-                var text = "";
-                var titleAttribute="";
-                if (button.icon) {
-                    text = '<i class="'+button.icon+'"></i> ';
-                }
-                if (button.label) {
-                    text += button.label;
-                }
-                if (button.title) {
-                    titleAttribute = 'title="'+button.title+'"';
-                }
-                $('<a href="#" class="red-ui-button red-ui-button-small red-ui-editableList-addButton" style="margin-top: 4px; margin-right: 5px;" '+titleAttribute+'></a>')
-                    .text(text)
+                var element = $('<a href="#" class="red-ui-button red-ui-button-small red-ui-editableList-addButton" style="margin-top: 4px; margin-right: 5px;"></a>')
                     .appendTo(that.topContainer)
                     .on("click", function(evt) {
                         evt.preventDefault();
@@ -114,6 +102,16 @@
                             button.click(evt);
                         }
                     });
+                    
+                if (button.title) {
+                    element.attr("title", button.title);
+                }
+                if (button.icon) {
+                    element.append($("<i></i>").attr("class", button.icon));
+                }
+                if (button.label) {
+                    element.append($("<span></span>").text(" " + button.label));
+                }
             });
  
             if (this.element.css("position") === "absolute") {