From 724acff59179a50dcce3f1c4fcc16215f5c73fb9 Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Thu, 7 Feb 2019 09:11:06 +0000
Subject: [PATCH] Properly sanitize node names in deploy warning dialogs

---
 .../@node-red/editor-client/src/js/ui/deploy.js           | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/packages/node_modules/@node-red/editor-client/src/js/ui/deploy.js b/packages/node_modules/@node-red/editor-client/src/js/ui/deploy.js
index bae8dec40..96363e21b 100644
--- a/packages/node_modules/@node-red/editor-client/src/js/ui/deploy.js
+++ b/packages/node_modules/@node-red/editor-client/src/js/ui/deploy.js
@@ -261,7 +261,9 @@ RED.deploy = (function() {
         }
         return list;
     }
-
+    function sanitize(html) {
+        return html.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;")
+    }
     function restart() {
         var startTime = Date.now();
         $(".deploy-button-content").css('opacity',0);
@@ -353,7 +355,7 @@ RED.deploy = (function() {
                 if (hasUnknown && !ignoreDeployWarnings.unknown) {
                     showWarning = true;
                     notificationMessage = "<p>"+RED._('deploy.confirm.unknown')+"</p>"+
-                        '<ul class="node-dialog-configm-deploy-list"><li>'+cropList(unknownNodes).join("</li><li>")+"</li></ul><p>"+
+                        '<ul class="node-dialog-configm-deploy-list"><li>'+cropList(unknownNodes).map(function(n) { return sanitize(n) }).join("</li><li>")+"</li></ul><p>"+
                         RED._('deploy.confirm.confirm')+
                         "</p>";
 
@@ -373,7 +375,7 @@ RED.deploy = (function() {
                     invalidNodes.sort(sortNodeInfo);
 
                     notificationMessage = "<p>"+RED._('deploy.confirm.improperlyConfigured')+"</p>"+
-                        '<ul class="node-dialog-configm-deploy-list"><li>'+cropList(invalidNodes.map(function(A) { return (A.tab?"["+A.tab+"] ":"")+A.label+" ("+A.type+")"})).join("</li><li>")+"</li></ul><p>"+
+                        '<ul class="node-dialog-configm-deploy-list"><li>'+cropList(invalidNodes.map(function(A) { return sanitize( (A.tab?"["+A.tab+"] ":"")+A.label+" ("+A.type+")")})).join("</li><li>")+"</li></ul><p>"+
                         RED._('deploy.confirm.confirm')+
                         "</p>";
                     notificationButtons= [