Chatroom: Move HTML escaping of messages from db to frontend

components/ILIAS/Chatroom/chat/SocketTasks/SendMessage.js

@@ -2,7 +2,6 @@ var Container = require('../AppContainer');
 var TextMessage = require('../Model/Messages/TextMessage');
 var TargetMessage = require('../Model/Messages/TargetMessage');
 var AccessHandler = require('../Handler/AccessHandler');
-var HTMLEscape = require('../Helper/HTMLEscape');
 
 module.exports = function (data, roomId) {
 	var serverRoomId = Container.createServerRoomId(roomId);
@@ -21,8 +20,6 @@ module.exports = function (data, roomId) {
 	}
 
         var subscriber = {id: this.subscriber.getId(), username: this.subscriber.getName(), profile_picture_visible: this.subscriber.isProfilePictureVisible()};
-	data.content = HTMLEscape.escape(data.content);
-
 	var message = {};
 
 	if (data.target !== undefined) {

components/ILIAS/Chatroom/classes/Setup/UpdateSteps.php

@@ -76,6 +76,23 @@ public function step_5(): void
         $this->db->manipulate('DELETE FROM chatroom_bans WHERE user_id NOT IN (SELECT usr_id FROM usr_data)');
     }
 
+    public function step_6(): void
+    {
+        $replace = [
+            '&lt;' => '<',
+            '&gt;' => '>',
+            '&amp;' => '&',
+            '&quot;' => '"',
+        ];
+
+        $s = 'JSON_VALUE(message, "$.content")';
+        foreach ($replace as $from => $to) {
+            $s = sprintf('REPLACE(%s, %s, %s)', $s, $this->db->quote($from, ilDBConstants::T_TEXT), $this->db->quote($to, ilDBConstants::T_TEXT));
+        }
+
+        $this->db->manipulate('UPDATE chatroom_history SET message = JSON_SET(message, "$.content", ' . $s . ') WHERE JSON_VALUE(message, "$.type") = "message"');
+    }
+
     private function dropColumnWhenExists(string $table, string $column): void
     {
         if ($this->db->tableColumnExists($table, $column)) {

components/ILIAS/Chatroom/classes/gui/class.ilChatroomHistoryGUI.php

@@ -160,8 +160,8 @@ private function showMessages(
                     );
 
                     $roomTpl->setCurrentBlock('message_line');
-                    $roomTpl->setVariable('MESSAGECONTENT', $message['message']->content); // oops... it is a message? ^^
-                    $roomTpl->setVariable('MESSAGESENDER', $message['message']->from->username);
+                    $roomTpl->setVariable('MESSAGECONTENT', htmlspecialchars($message['message']->content, ENT_QUOTES | ENT_SUBSTITUTE, 'utf-8')); // oops... it is a message? ^^
+                    $roomTpl->setVariable('MESSAGESENDER', htmlspecialchars($message['message']->from->username, ENT_QUOTES | ENT_SUBSTITUTE, 'utf-8'));
                     $roomTpl->parseCurrentBlock();
 
                     $roomTpl->setCurrentBlock('row');

components/ILIAS/Chatroom/resources/js/src/ChatMessageArea.js

@@ -111,7 +111,7 @@ export default class ChatMessageArea {
       notice: () => {
         const node = createDiv(['separator', 'system-message']);
         const content = createDiv([], 'p');
-        content.innerHTML = this.#txt(message.content, message.data);
+        content.textContent = this.#txt(message.content, message.data);
         node.appendChild(content);
         this.#pane.appendChild(node);
       },
@@ -128,7 +128,7 @@ export default class ChatMessageArea {
   }
 
   clearMessages() {
-    this.#pane.innerHTML = '';
+    this.#pane.textContent = '';
     this.#lastUser = null;
     this.#lastDate = remeberLastDate();
 
@@ -227,7 +227,7 @@ const link = (() => {
 
 function actualMessage(message) {
   const messageSpan = createDiv([], 'p');
-  messageSpan.innerHTML = message.content;
+  messageSpan.textContent = message.content;
   link(messageSpan);
 
   return messageSpan;