From 211834c7c9d6bc268b487634c5169d9f708a5127 Mon Sep 17 00:00:00 2001
From: xLuxy <67131061+xLuxy@users.noreply.github.com>
Date: Thu, 21 Sep 2023 22:18:26 +0200
Subject: [PATCH] properly escape chat input

---
 chat/client/html/app.js              | 17 +++++++++++++++--
 freeroam-extended/client/html/app.js | 21 ++++++++++++++++-----
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/chat/client/html/app.js b/chat/client/html/app.js
index b399da8..55674ef 100644
--- a/chat/client/html/app.js
+++ b/chat/client/html/app.js
@@ -9,16 +9,29 @@ let msgInputLine = null;
 
 if (window.alt === undefined) {
   window.alt = {
-    emit: () => {},
-    on: () => {},
+    emit: () => { },
+    on: () => { },
   };
 }
 
+function escapeString(str) {
+  if (typeof str !== "string") return str;
+
+  return str
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
 function colorify(text) {
   let matches = [];
   let m = null;
   let curPos = 0;
 
+  text = escapeString(text);
+
   do {
     m = /\{[A-Fa-f0-9]{3}\}|\{[A-Fa-f0-9]{6}\}/g.exec(text.substr(curPos));
 
diff --git a/freeroam-extended/client/html/app.js b/freeroam-extended/client/html/app.js
index ed5c0f2..c27ab3a 100644
--- a/freeroam-extended/client/html/app.js
+++ b/freeroam-extended/client/html/app.js
@@ -9,14 +9,25 @@ let msgInputLine = null;
 
 if (window.alt === undefined) {
   window.alt = {
-    emit: () => {},
-    on: () => {},
+    emit: () => { },
+    on: () => { },
   };
 }
 
+function escapeString(str) {
+  if (typeof str !== "string") return str;
+
+  return str
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
 function colorify(text) {
-  if (text && typeof text === 'string') text = text.replace(/[<>]/g, '');
-  
+  text = escapeString(text);
+
   let matches = [];
   let m = null;
   let curPos = 0;
@@ -207,7 +218,7 @@ function setVoiceConnectionState(state) {
   el.classList.remove(".voice-connection-status-connecting");
 
   let stateText = "Disconnected"
-  switch(state) {
+  switch (state) {
     case 0:
       stateText = "Disconnected"
       el.classList.add(".voice-connection-status-disconnected")