From 62f4a2edffdbf5f4fc0b5a1b8cfe70f32e594938 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Wed, 30 Mar 2022 03:36:51 +0200
Subject: Handle XML entities slightly better in user-additions.js.

---
 static/user/user-additions.js | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/static/user/user-additions.js b/static/user/user-additions.js
index 3b39b3ad..6d944b86 100644
--- a/static/user/user-additions.js
+++ b/static/user/user-additions.js
@@ -1,12 +1,21 @@
 window.formatters.set('description', (el, d) => {
     if (/<br\/?>/.exec(d)) {
-        /* Assume that the text is HTML iff in contains a <br/> tag */
+        /* Assume that the text is HTML iff it contains a <br/> tag */
         let parser = new DOMParser();
         let doc = parser.parseFromString(d, 'text/html');
         el.replaceChildren(doc.body);
     } else {
-        /* Otherwise it should be plain(er) text, parse "all" links */
-        el.innerHTML = d.replaceAll(/https?:\/\/\S+/g, '<a href="$&">$&</a>');
+        /* Otherwise it should be plain(er) text, parse "all" links
+           (and reserved XML characters)
+        */
+        // TODO replace with something that doesn't use innerHTML */
+        el.innerHTML = d
+            .replaceAll(/</g, '&lt;')
+            .replaceAll(/>/g, '&gt;')
+            .replaceAll(/&/g, '&amp;')
+            .replaceAll(/'/g, '&apos;')
+            .replaceAll(/"/g, '&quot;')
+            .replaceAll(/https?:\/\/\S+/g, '<a href="$&">$&</a>')
     }
 })
 
-- 
cgit v1.2.3