White space replacement: Escape '<>&' before setting innerHTML, v2.1.1

Setting the innerHTML attribute of the node is necessary when we replace the white spaces by alternative characters, because we need the spans to be interpreted to set “comment”-style (font color) for those characters. But if we omit to escape HTML special characters, they get interpreted in the process! Let's escape them before replacing the white spaces. Increment version to v2.1.1, for releasing the fix Fixes: #99 Reported-by: @iiey
Qeole · Feb 24, 2021 · c646c26 · c646c26
1 parent 9fa2c82
commit c646c26
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/manifest.json b/manifest.json
@@ -7,7 +7,7 @@
     }
   },
   "name": "Colored Diffs",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "Color diffs in messages formatted by Git or other version control systems",
   "author": "Vadim Atlygin",
   "homepage_url": "https://github.com/Qeole/colorediffs",

diff --git a/scripts/transformations.js b/scripts/transformations.js
@@ -31,6 +31,9 @@ function replaceSpaces(root, tabsize) {
     };
 
     function doReplace(node) {
+        node.textContent = node.textContent.replace(/&/g,'&amp;')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;');
         node.innerHTML = node.textContent.replace(/( +|\t+)/g, replacer);
     };