From 13b589dcb910d24be8e735f9106ac67436c8a622 Mon Sep 17 00:00:00 2001
From: sylenien <nikita@openreplay.com>
Date: Thu, 1 Sep 2022 10:16:08 +0200
Subject: [PATCH] fix(player): sanitize html nodes

---
 .../StatedScreen/Screen/Marker.js                | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/frontend/app/player/MessageDistributor/StatedScreen/Screen/Marker.js b/frontend/app/player/MessageDistributor/StatedScreen/Screen/Marker.js
index daf5a67b4..4ff401093 100644
--- a/frontend/app/player/MessageDistributor/StatedScreen/Screen/Marker.js
+++ b/frontend/app/player/MessageDistributor/StatedScreen/Screen/Marker.js
@@ -1,5 +1,17 @@
 import styles from './marker.module.css';
 
+function escapeRegExp(string) {
+  return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}
+
+function escapeHtml(string) {
+  return string.replaceAll('&', '&amp;').replaceAll('<', '&lt;').replaceAll('>', '&gt;').replaceAll('"', '&quot;').replaceAll("'", '&#039;');
+}
+
+function safeString(string) {
+  return (escapeHtml(escapeRegExp(string)))
+}
+
 export default class Marker {
   _target = null;
   _selector = null;
@@ -92,11 +104,11 @@ export default class Marker {
       let k = attrs[i];
       const attribute = k.name;
       if (attribute === 'class') {
-        str += `<span style="color:#F29766">${'.' + k.value.split(' ').join('.')}</span>`;
+        str += `<span style="color:#F29766">${'.' + safeString(k.value.split(' ').join('.'))}</span>`;
       }
 
       if (attribute === 'id') {
-        str += `<span style="color:#F29766">${'#' + k.value.split(' ').join('#')}</span>`;
+        str += `<span style="color:#F29766">${'#' + safeString(k.value.split(' ').join('#'))}</span>`;
       }
     }