From 52fc4974120a538cecfde277109a2de5c68f97cc Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Sun, 27 Nov 2016 21:51:34 +0000
Subject: [PATCH] Properly escape html strings passed to debug

---
 editor/js/ui/utils.js                    | 40 ++++++++++++++----------
 editor/sass/debug.scss                   |  3 +-
 nodes/core/core/lib/debug/debug-utils.js |  2 +-
 3 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/editor/js/ui/utils.js b/editor/js/ui/utils.js
index 24227dd04..58af98b75 100644
--- a/editor/js/ui/utils.js
+++ b/editor/js/ui/utils.js
@@ -19,6 +19,9 @@ RED.utils = (function() {
     function formatString(str) {
         return str.replace(/\r?\n/g,"&crarr;").replace(/\t/g,"&rarr;");
     }
+    function sanitize(m) {
+        return m.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
+    }
 
     function buildMessageSummaryValue(value) {
         var result;
@@ -35,9 +38,11 @@ RED.utils = (function() {
                 result = $('<span class="debug-message-object-value debug-message-type-meta">object</span>');
             }
         } else if (typeof value === 'string') {
-            subvalue = value;
-            if (subvalue.length > 30) {
-                subvalue = subvalue.substring(0,30)+"&hellip;";
+            var subvalue;
+            if (value.length > 30) {
+                subvalue = sanitize(value.substring(0,30))+"&hellip;";
+            } else {
+                subvalue = sanitize(value);
             }
             result = $('<span class="debug-message-object-value debug-message-type-string"></span>').html('"'+formatString(subvalue)+'"');
         } else {
@@ -68,7 +73,7 @@ RED.utils = (function() {
         var entryObj;
         var header;
         var headerHead;
-        var value,subvalue;
+        var value;
         var element = $('<span class="debug-message-element"></span>');
         if (!key) {
             element.addClass("debug-message-top-level");
@@ -98,23 +103,26 @@ RED.utils = (function() {
                 makeExpandable(header, function() {
                     $('<span class="debug-message-type-meta debug-message-object-type-header"></span>').html(typeHint||'string').appendTo(header);
                     var row = $('<div class="debug-message-object-entry collapsed"></div>').appendTo(element);
-                    $('<pre class="debug-message-type-string"></pre>').html(obj).appendTo(row);
+                    $('<pre class="debug-message-type-string"></pre>').text(obj).appendTo(row);
                 });
             }
-            $('<span class="debug-message-type-string debug-message-object-header"></span>').html('"'+formatString(obj)+'"').appendTo(entryObj);
+            $('<span class="debug-message-type-string debug-message-object-header"></span>').html('"'+formatString(sanitize(obj))+'"').appendTo(entryObj);
 
 
         } else if (typeof obj === 'number') {
             e = $('<span class="debug-message-type-number"></span>').text(""+obj).appendTo(entryObj);
-            e.click(function(evt) {
-                var format = $(this).data('format');
-                if (format === 'hex') {
-                    $(this).text(""+obj).data('format','dec');
-                } else {
-                    $(this).text("0x"+(obj).toString(16)).data('format','hex');
-                }
-                evt.preventDefault();
-            });
+            if ((obj^0)===obj) {
+                e.addClass("debug-message-type-number-toggle");
+                e.click(function(evt) {
+                    var format = $(this).data('format');
+                    if (format === 'hex') {
+                        $(this).text(""+obj).data('format','dec');
+                    } else {
+                        $(this).text("0x"+(obj).toString(16)).data('format','hex');
+                    }
+                    evt.preventDefault();
+                });
+            }
         } else if (isArray) {
             element.addClass('collapsed');
 
@@ -155,7 +163,7 @@ RED.utils = (function() {
                         } catch(err) {
                             console.log(err);
                         }
-                        $('<pre class="debug-message-type-string"></pre>').html(stringEncoding).appendTo(sr);
+                        $('<pre class="debug-message-type-string"></pre>').text(stringEncoding).appendTo(sr);
                         var bufferOpts = $('<span class="debug-message-buffer-opts"></span>').appendTo(headerHead);
                         $('<a href="#"></a>').addClass('selected').html('raw').appendTo(bufferOpts).click(function(e) {
                             if ($(this).text() === 'raw') {
diff --git a/editor/sass/debug.scss b/editor/sass/debug.scss
index f56a8c7f3..7e3db9d10 100644
--- a/editor/sass/debug.scss
+++ b/editor/sass/debug.scss
@@ -150,7 +150,8 @@
 .debug-message-type-string { color: #b72828; }
 .debug-message-type-null { color: #666; font-style: italic;}
 .debug-message-type-meta { color: #666; font-style: italic;}
-.debug-message-type-number { color: #2033d6;cursor: pointer;}
+.debug-message-type-number { color: #2033d6; };
+.debug-message-type-number-toggle { cursor: pointer;}
 
 .debug-message-expandable {
     cursor: pointer;
diff --git a/nodes/core/core/lib/debug/debug-utils.js b/nodes/core/core/lib/debug/debug-utils.js
index 4767733a2..5322266a5 100644
--- a/nodes/core/core/lib/debug/debug-utils.js
+++ b/nodes/core/core/lib/debug/debug-utils.js
@@ -198,7 +198,7 @@ RED.debug = (function() {
         var name = sanitize(((o.name?o.name:o.id)||"").toString());
         var topic = sanitize((o.topic||"").toString());
         var property = sanitize(o.property?o.property:'');
-        var payload = sanitize((o.msg||"").toString());
+        var payload = o.msg;
         var format = sanitize((o.format||"").toString());
         msg.className = 'debug-message'+(o.level?(' debug-message-level-'+o.level):'') +
         ((sourceNode&&sourceNode.z)?((" debug-message-flow-"+sourceNode.z+((filter&&(activeWorkspace!==sourceNode.z))?" hide":""))):"");