[WebUI] Escape reserved HTML characters in editor

Issue: #3522

diff --git a/interface/js/app/config.js b/interface/js/app/config.js
index 082806088bd62e3650e520289cf036a5fa8ae6ce..101935c35872d01c4ac11807e91cda67183bc044 100644 (file)
--- a/interface/js/app/config.js
+++ b/interface/js/app/config.js
@@ -170,7 +170,7 @@ define(["jquery", "codejar", "linenumbers", "prism"],
                     success: function (data) {
                         var readonly = "";
                         var icon = "fa-edit";
-                        var text = data[0].data;
+                        var text = rspamd.escapeHTML(data[0].data);
                         if (item.editable === false || rspamd.read_only) {
                             readonly = " readonly";
                             icon = "fa-eye";

diff --git a/interface/js/app/rspamd.js b/interface/js/app/rspamd.js
index c3356c7e4d6f7c9472cd3f4a6e6eaa82f0678c3a..360ba603e1d778a387380da3eeffbec6df092e42 100644 (file)
--- a/interface/js/app/rspamd.js
+++ b/interface/js/app/rspamd.js
@@ -805,25 +805,26 @@ function ($, D3pie, visibility, NProgress, stickyTabs, tab_stat, tab_graph, tab_
         });
     };
 
+    ui.escapeHTML = function (string) {
+        var htmlEscaper = /[&<>"'/`=]/g;
+        var htmlEscapes = {
+            "&": "&amp;",
+            "<": "&lt;",
+            ">": "&gt;",
+            "\"": "&quot;",
+            "'": "&#39;",
+            "/": "&#x2F;",
+            "`": "&#x60;",
+            "=": "&#x3D;"
+        };
+        return String(string).replace(htmlEscaper, function (match) {
+            return htmlEscapes[match];
+        });
+    };
+
     ui.preprocess_item = function (rspamd, item) {
-        function escapeHTML(string) {
-            var htmlEscaper = /[&<>"'/`=]/g;
-            var htmlEscapes = {
-                "&": "&amp;",
-                "<": "&lt;",
-                ">": "&gt;",
-                "\"": "&quot;",
-                "'": "&#39;",
-                "/": "&#x2F;",
-                "`": "&#x60;",
-                "=": "&#x3D;"
-            };
-            return String(string).replace(htmlEscaper, function (match) {
-                return htmlEscapes[match];
-            });
-        }
         function escape_HTML_array(arr) {
-            arr.forEach(function (d, i) { arr[i] = escapeHTML(d); });
+            arr.forEach(function (d, i) { arr[i] = ui.escapeHTML(d); });
         }
 
         for (var prop in item) {
@@ -839,9 +840,9 @@ function ($, D3pie, visibility, NProgress, stickyTabs, tab_stat, tab_graph, tab_
                         if (!sym.name) {
                             sym.name = key;
                         }
-                        sym.name = escapeHTML(sym.name);
+                        sym.name = ui.escapeHTML(sym.name);
                         if (sym.description) {
-                            sym.description = escapeHTML(sym.description);
+                            sym.description = ui.escapeHTML(sym.description);
                         }
 
                         if (sym.options) {
@@ -851,7 +852,7 @@ function ($, D3pie, visibility, NProgress, stickyTabs, tab_stat, tab_graph, tab_
                     break;
                 default:
                     if (typeof item[prop] === "string") {
-                        item[prop] = escapeHTML(item[prop]);
+                        item[prop] = ui.escapeHTML(item[prop]);
                     }
             }
         }