add url decoding and html escaping

kaz-on · kaz-on · commit 206690236788 · 2021-11-21T17:15:31.000+09:00
diff --git a/src/main/resources/embedding/assets/entry.js b/src/main/resources/embedding/assets/entry.js
@@ -57,6 +57,10 @@ $(function(){
         return xmlHttp.responseText;
     }
 
+    function escapeHtml(text) {
+        return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+    }
+
     function convertLinks(){
         const elements = $('.markdown-body p');
         let element;
@@ -80,9 +84,12 @@ $(function(){
                 }
                 let commitUrl = getCommitUrl(url, filepath);
                 try{
+                    filepath = decodeURIComponent(filepath);
+                    filepath = escapeHtml(filepath);
                     let content = getContent(url);
                     let linesAll = content.split(/\n|\r\n?/);
                     let lines = linesAll.slice(startLine-1, endLine).join("\n");
+                    lines = escapeHtml(lines);
                     let snippetElement = generateSnippetElement(repo, filepath, commit, startLine, endLine, lines, url, commitUrl);
                     element.insertAdjacentHTML('afterend', snippetElement);
                     element.remove();
