Skip to content

Commit 4375a15

Browse files
committed
BUGFIX #119: Recipe names are now correctly escaped.
1 parent 0f02fb5 commit 4375a15

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

src/web/ControlsWaiter.js

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -244,7 +244,7 @@ ControlsWaiter.prototype.loadClick = function() {
244244
* Saves the recipe specified in the save textarea to local storage.
245245
*/
246246
ControlsWaiter.prototype.saveButtonClick = function() {
247-
var recipeName = document.getElementById("save-name").value,
247+
var recipeName = Utils.escapeHtml(document.getElementById("save-name").value),
248248
recipeStr = document.getElementById("save-text").value;
249249

250250
if (!recipeName) {
@@ -288,7 +288,8 @@ ControlsWaiter.prototype.populateLoadRecipesList = function() {
288288
for (i = 0; i < savedRecipes.length; i++) {
289289
var opt = document.createElement("option");
290290
opt.value = savedRecipes[i].id;
291-
opt.innerHTML = savedRecipes[i].name;
291+
// Unescape then re-escape in case localStorage has been corrupted
292+
opt.innerHTML = Utils.escapeHtml(Utils.unescapeHtml(savedRecipes[i].name));
292293

293294
loadNameEl.appendChild(opt);
294295
}

0 commit comments

Comments
 (0)