From 9d01a8d4d0c72af3c5ccbbb15e085a137cdf73de Mon Sep 17 00:00:00 2001
From: lehtint6 <teemu.t.lehtinen@aalto.fi>
Date: Tue, 14 Apr 2020 12:03:32 +0300
Subject: [PATCH] Escape editor code in feedback

---
 static/webdev-editor.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/static/webdev-editor.js b/static/webdev-editor.js
index ed1fdba..de0e2f3 100644
--- a/static/webdev-editor.js
+++ b/static/webdev-editor.js
@@ -79,9 +79,19 @@ ACOSWebdev.prototype.extendGrade = function (eventOrMutations, cb) {
 ACOSWebdev.prototype.extendProtocolFeedback = function (feedback) {
   var $out = $(this.$editorOutput.find('iframe').get(0).contentWindow.document.body);
   $out.find('script').remove();
-  return '<pre><code>' + this.editor.getValue() + '</code></pre><div>' + $out.html() + '</div>';
+  return '<pre><code>' + this.esc(this.editor.getValue()) + '</code></pre><div>' + $out.html() + '</div>';
 };
 
+ACOSWebdev.prototype.esc = function (str) {
+  if (str) {
+    var rep = {'&': '&amp;', '<': '&lt;', '>': '&gt;'};
+    return str.replace(/[&<>]/g, function (ch) {
+      return rep[ch] || ch;
+    });
+  }
+  return str;
+}
+
 ACOSWebdev.prototype.editorExecute = function (cb) {
   var $iframe = $('<iframe src="about:blank"></iframe>');
   this.$editorOutput.empty().append($iframe);
-- 
GitLab