From c67eab347902ff6fe4f101226e7242c7403557f7 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Mon, 20 Jul 2015 22:02:08 +0100
Subject: [PATCH] Escape HTML provided in form - issue #148

---
 RIGS/static/js/interaction.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/RIGS/static/js/interaction.js b/RIGS/static/js/interaction.js
index 8d2fae16..e7d023e1 100644
--- a/RIGS/static/js/interaction.js
+++ b/RIGS/static/js/interaction.js
@@ -11,6 +11,10 @@ function nl2br (str, is_xhtml) {
     return (str + '').replace(/([^>\r\n]?)(\r\n|\n\r|\r|\n)/g, '$1'+ breakTag +'$2');
 }
 
+function escapeHtml (str) {
+    return $('<div/>').text(str).html();
+}
+
 function updatePrices() {
     // individual rows
     var sum = 0;
@@ -101,8 +105,8 @@ $('body').on('submit', '#item-form', function (e) {
     }
     // update the table
     $row = $('#item-' + pk);
-    $row.find('.name').html(fields.name);
-    $row.find('.description').html(nl2br(fields.description));
+    $row.find('.name').html(escapeHtml(fields.name));
+    $row.find('.description').html(nl2br(escapeHtml(fields.description)));
     $row.find('.cost').html(parseFloat(fields.cost).toFixed(2));
     $row.find('.quantity').html(fields.quantity);