Escape HTML output

Author: SamuelTallet

static/js/mpg.database.query.js

@@ -483,7 +483,10 @@ MPG.eventListeners.addUpdate = function() {
 
             var documentField = event.currentTarget;
 
-            var documentFieldNewValue = window.prompt('New value', documentField.innerHTML);
+            var documentFieldNewValue = window.prompt(
+                'New value',
+                MPG.helpers.unescapeHTML(documentField.innerHTML)
+            );
 
             if ( documentFieldNewValue === null ) {
                 return;
@@ -518,8 +521,8 @@ MPG.eventListeners.addUpdate = function() {
                 function(response) {
 
                     if ( JSON.parse(response) === 1 ) {
-                        documentField.innerHTML = MPG.helpers.convertAnyToString(
-                            documentFieldNewValue
+                        documentField.innerHTML = MPG.helpers.escapeHTML(
+                            MPG.helpers.convertAnyToString(documentFieldNewValue)
                         );
                     }
 

static/js/mpg.js

@@ -140,6 +140,33 @@ MPG.helpers.completeNavLinks = function(urlFragment) {
 
 };
 
+/**
+ * Escapes HTML tags and entities.
+ * This prevents HTML stored in MongoDB documents to be interpreted by browser.
+ * 
+ * @param {string} html
+ * 
+ * @returns {string}
+ */
+MPG.helpers.escapeHTML = function(html) {
+
+    return html.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+
+};
+
+/**
+ * Unescapes HTML tags and entities.
+ * 
+ * @param {string} html
+ * 
+ * @returns {string}
+ */
+MPG.helpers.unescapeHTML = function(html) {
+
+    return html.replace(/&amp;/g, '&').replace(/&lt;/g, '<').replace(/&gt;/g, '>');
+
+};
+
 /**
  * Reloads collections of a specific database.
  *