From c4d9d5cc548bb17d8ef190cfa13045562a1e9820 Mon Sep 17 00:00:00 2001
From: Nico Weber <thakis@chromium.org>
Date: Wed, 22 Jul 2020 21:43:08 -0400
Subject: Browser: Escape JS source operators for HTML display in console

Console inputs to try before and after this patch:
- `0xffff & 0xff`
- `"a & b"`
- `"<div>"`
- `a &` (to see the escaping in the error hint)
---
 Applications/Browser/ConsoleWidget.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Applications/Browser')

diff --git a/Applications/Browser/ConsoleWidget.cpp b/Applications/Browser/ConsoleWidget.cpp
index 459043d991..c14e6183c8 100644
--- a/Applications/Browser/ConsoleWidget.cpp
+++ b/Applications/Browser/ConsoleWidget.cpp
@@ -91,7 +91,7 @@ ConsoleWidget::ConsoleWidget()
             auto error = parser.errors()[0];
             auto hint = error.source_location_hint(js_source);
             if (!hint.is_empty())
-                output_html.append(String::format("<pre>%s</pre>", hint.characters()));
+                output_html.append(String::format("<pre>%s</pre>", escape_html_entities(hint).characters()));
             m_interpreter->throw_exception<JS::SyntaxError>(error.to_string());
         } else {
             m_interpreter->run(m_interpreter->global_object(),*program);
-- 
cgit v1.2.3