From 4d726d25c5d955f52d2c18464c61295d70d91e20 Mon Sep 17 00:00:00 2001
From: moisseev <moiseev@mezonplus.ru>
Date: Sat, 17 Oct 2020 21:40:58 +0300
Subject: [PATCH] [WebUI] Escape reserved HTML characters in editor

Issue: #3522
---
 interface/js/app/config.js |  2 +-
 interface/js/app/rspamd.js | 41 +++++++++++++++++++-------------------
 2 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/interface/js/app/config.js b/interface/js/app/config.js
index 082806088..101935c35 100644
--- a/interface/js/app/config.js
+++ b/interface/js/app/config.js
@@ -170,7 +170,7 @@ define(["jquery", "codejar", "linenumbers", "prism"],
                     success: function (data) {
                         var readonly = "";
                         var icon = "fa-edit";
-                        var text = data[0].data;
+                        var text = rspamd.escapeHTML(data[0].data);
                         if (item.editable === false || rspamd.read_only) {
                             readonly = " readonly";
                             icon = "fa-eye";
diff --git a/interface/js/app/rspamd.js b/interface/js/app/rspamd.js
index c3356c7e4..360ba603e 100644
--- a/interface/js/app/rspamd.js
+++ b/interface/js/app/rspamd.js
@@ -805,25 +805,26 @@ function ($, D3pie, visibility, NProgress, stickyTabs, tab_stat, tab_graph, tab_
         });
     };
 
+    ui.escapeHTML = function (string) {
+        var htmlEscaper = /[&<>"'/`=]/g;
+        var htmlEscapes = {
+            "&": "&amp;",
+            "<": "&lt;",
+            ">": "&gt;",
+            "\"": "&quot;",
+            "'": "&#39;",
+            "/": "&#x2F;",
+            "`": "&#x60;",
+            "=": "&#x3D;"
+        };
+        return String(string).replace(htmlEscaper, function (match) {
+            return htmlEscapes[match];
+        });
+    };
+
     ui.preprocess_item = function (rspamd, item) {
-        function escapeHTML(string) {
-            var htmlEscaper = /[&<>"'/`=]/g;
-            var htmlEscapes = {
-                "&": "&amp;",
-                "<": "&lt;",
-                ">": "&gt;",
-                "\"": "&quot;",
-                "'": "&#39;",
-                "/": "&#x2F;",
-                "`": "&#x60;",
-                "=": "&#x3D;"
-            };
-            return String(string).replace(htmlEscaper, function (match) {
-                return htmlEscapes[match];
-            });
-        }
         function escape_HTML_array(arr) {
-            arr.forEach(function (d, i) { arr[i] = escapeHTML(d); });
+            arr.forEach(function (d, i) { arr[i] = ui.escapeHTML(d); });
         }
 
         for (var prop in item) {
@@ -839,9 +840,9 @@ function ($, D3pie, visibility, NProgress, stickyTabs, tab_stat, tab_graph, tab_
                         if (!sym.name) {
                             sym.name = key;
                         }
-                        sym.name = escapeHTML(sym.name);
+                        sym.name = ui.escapeHTML(sym.name);
                         if (sym.description) {
-                            sym.description = escapeHTML(sym.description);
+                            sym.description = ui.escapeHTML(sym.description);
                         }
 
                         if (sym.options) {
@@ -851,7 +852,7 @@ function ($, D3pie, visibility, NProgress, stickyTabs, tab_stat, tab_graph, tab_
                     break;
                 default:
                     if (typeof item[prop] === "string") {
-                        item[prop] = escapeHTML(item[prop]);
+                        item[prop] = ui.escapeHTML(item[prop]);
                     }
             }
         }
-- 
2.39.5