From 9a838386222961cbc0887e34a1e42579098dc716 Mon Sep 17 00:00:00 2001
From: demir <46607042+swordfishtr@users.noreply.github.com>
Date: Mon, 30 Sep 2024 13:44:54 +0300
Subject: [PATCH] Fixed missing HTML sanitization (again) (#2284)

---
 play.pokemonshowdown.com/js/client-teambuilder.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/play.pokemonshowdown.com/js/client-teambuilder.js b/play.pokemonshowdown.com/js/client-teambuilder.js
index 658eafd74d..fd2593e4fd 100644
--- a/play.pokemonshowdown.com/js/client-teambuilder.js
+++ b/play.pokemonshowdown.com/js/client-teambuilder.js
@@ -494,7 +494,7 @@
 					// support dragging and dropping buttons.
 					buf += '<li><div name="edit" data-value="' + i + '" class="team';
 					if (team.capacity === 24) buf += ' pc-box';
-					buf += '" draggable="true">' + formatText + '<strong>' + BattleLog.escapeHTML(team.name) + '</strong><br /><small>';
+					buf += '" draggable="true">' + BattleLog.escapeHTML(formatText) + '<strong>' + BattleLog.escapeHTML(team.name) + '</strong><br /><small>';
 					buf += Storage.getTeamIcons(team);
 					buf += '</small></div><button name="edit" value="' + i + '"><i class="fa fa-pencil" aria-label="Edit" title="Edit (you can also just click on the team)"></i></button><button name="duplicate" value="' + i + '" title="Duplicate" aria-label="Duplicate"><i class="fa fa-clone"></i></button><button name="delete" value="' + i + '"><i class="fa fa-trash"></i> Delete</button></li>';