Escape editor code in feedback

9d01a8d4 · lehtint6 · e9070f16 · 9d01a8d4
Commit 9d01a8d4 authored Apr 14, 2020 by lehtint6
--- a/static/webdev-editor.js
+++ b/static/webdev-editor.js
@@ -79,9 +79,19 @@ ACOSWebdev.prototype.extendGrade = function (eventOrMutations, cb) {
 ACOSWebdev.prototype.extendProtocolFeedback = function (feedback) {
  var $out = $(this.$editorOutput.find('iframe').get(0).contentWindow.document.body);
  $out.find('script').remove();
-  return '<pre><code>' + this.editor.getValue() + '</code></pre><div>' + $out.html() + '</div>';
+  return '<pre><code>' + this.esc(this.editor.getValue()) + '</code></pre><div>' + $out.html() + '</div>';
 };

+ACOSWebdev.prototype.esc = function (str) {
+  if (str) {
+    var rep = {'&': '&amp;', '<': '&lt;', '>': '&gt;'};
+    return str.replace(/[&<>]/g, function (ch) {
+      return rep[ch] || ch;
+    });
+  }
+  return str;
+}
+
 ACOSWebdev.prototype.editorExecute = function (cb) {
  var $iframe = $('<iframe src="about:blank"></iframe>');
  this.$editorOutput.empty().append($iframe);