From d68ce2c213381da5b608fafb2e17a19260f7a8e8 Mon Sep 17 00:00:00 2001
From: Daniel Perez <daniel@claudetech.com>
Date: Mon, 30 May 2016 00:05:29 +0900
Subject: [PATCH] Properly escape HTML when working with content editable
 elements.

---
 src/content-script-tools/custom-events/workflowy.js |  4 +++-
 src/handlers/content-editable.js                    |  3 ++-
 src/util/string.js                                  | 12 ++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/content-script-tools/custom-events/workflowy.js b/src/content-script-tools/custom-events/workflowy.js
index 18620b4..218dee7 100644
--- a/src/content-script-tools/custom-events/workflowy.js
+++ b/src/content-script-tools/custom-events/workflowy.js
@@ -1,9 +1,11 @@
+import string from 'ac-util/string';
+
 export default {
   url: new RegExp('https://workflowy\.com.*', 'i'),
   // override setvalue
   bind: function (window) {
     this.setValue = (value) => {
-      this.elem.innerHTML = value;
+      this.elem.innerHTML = string.htmlEscape(value);
     };
   }
 };
diff --git a/src/handlers/content-editable.js b/src/handlers/content-editable.js
index aa53db6..9d3b95a 100644
--- a/src/handlers/content-editable.js
+++ b/src/handlers/content-editable.js
@@ -1,4 +1,5 @@
 import BaseHandler from './base';
+import string from 'ac-util/string';
 
 class ContentEditableHandler extends BaseHandler {
   getValue() {
@@ -31,7 +32,7 @@ class ContentEditableHandler extends BaseHandler {
       if (v.trim().length === 0) {
         return '<br>';
       }
-      return '<div>' + v + '</div>';
+      return '<div>' + string.htmlEscape(v) + '</div>';
     }).join('');
     this.elem.innerHTML = htmlValue;
     super.setValue(value);
diff --git a/src/util/string.js b/src/util/string.js
index 61e1553..0c0c29b 100644
--- a/src/util/string.js
+++ b/src/util/string.js
@@ -4,5 +4,17 @@ export default {
       return s;
     }
     return s[0].toUpperCase() + s.slice(1);
+  },
+
+  htmlEscape: function (s) {
+    if (!s) {
+      return s;
+    }
+    return s
+      .replace(/&/g, '&amp;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;');
   }
 };