From 10d9dee4aaffe65cecb431a41a998cf3fea75942 Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Wed, 9 Apr 2014 14:50:53 +0100
Subject: [PATCH] Escape html chars in Inject/Debug and Info pane

---
 nodes/core/core/20-inject.html | 2 +-
 nodes/core/core/58-debug.html  | 6 +++---
 public/red/ui/tab-info.js      | 1 +
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/nodes/core/core/20-inject.html b/nodes/core/core/20-inject.html
index 3834232ee..e70517e30 100644
--- a/nodes/core/core/20-inject.html
+++ b/nodes/core/core/20-inject.html
@@ -379,7 +379,7 @@
         },
         button: {
             onclick: function() {
-                var label = this.name||this.payload;
+                var label = (this.name||this.payload).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
                 d3.xhr("inject/"+this.id).post(function(err,resp) {
                         if (err) {
                             if (err.status == 404) {
diff --git a/nodes/core/core/58-debug.html b/nodes/core/core/58-debug.html
index 58fe19374..dc611c8b1 100644
--- a/nodes/core/core/58-debug.html
+++ b/nodes/core/core/58-debug.html
@@ -156,9 +156,9 @@
                     });
                     RED.view.redraw();
                 };
-                var name = (o.name?o.name:o.id).toString().replace(/</g,"&lt;").replace(/>/g,"&gt;");
-                var topic = (o.topic||"").toString().replace(/</g,"&lt;").replace(/>/g,"&gt;");
-                var payload = (o.msg||"").toString().replace(/</g,"&lt;").replace(/>/g,"&gt;");
+                var name = (o.name?o.name:o.id).toString().replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
+                var topic = (o.topic||"").toString().replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
+                var payload = (o.msg||"").toString().replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
                 msg.className = 'debug-message'+(o.level?(' debug-message-level-'+o.level):'')
                 msg.innerHTML = '<span class="debug-message-date">'+getTimestamp()+'</span>'+
                                 '<span class="debug-message-name">['+name+']</span>'+
diff --git a/public/red/ui/tab-info.js b/public/red/ui/tab-info.js
index 9693dce2f..c2ef60d9c 100644
--- a/public/red/ui/tab-info.js
+++ b/public/red/ui/tab-info.js
@@ -53,6 +53,7 @@ RED.sidebar.info = function() {
                 if (val.length > 30) { 
                     val = val.substring(0,30)+" ...";
                 }
+                val = val.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
             } else if (type === "number") {
                 val = val.toString();
             } else if ($.isArray(val)) {