From 471295d65176bf87943e1edbd231e0eb44e85efb Mon Sep 17 00:00:00 2001
From: Shen DeShayne <shennyg@gmail.com>
Date: Tue, 10 May 2022 11:44:47 -0700
Subject: [PATCH] Escape HTML entities in log files

Escape unsafe HTML, this allows XML and HTML tags to display instead of render.
---
 src/Utility.php | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/src/Utility.php b/src/Utility.php
index 23e4469..bb39a84 100644
--- a/src/Utility.php
+++ b/src/Utility.php
@@ -63,6 +63,43 @@ function ($var) {
 CSS;
 
 		$js = <<<JS
+/** Mixin to extend the String type with a method to escape unsafe characters
+ *  for use in HTML.  Uses OWASP guidelines for safe strings in HTML.
+ * 
+ *  Credit: http://benv.ca/2012/10/4/you-are-probably-misusing-DOM-text-methods/
+ *          https://github.com/janl/mustache.js/blob/16ffa430a111dc293cd9ed899ecf9da3729f58bd/mustache.js#L62
+ *
+ *  Maintained by stevejansen_github@icloud.com
+ *
+ *  @license http://opensource.org/licenses/MIT
+ *
+ *  @version 1.0
+ *
+ *  @mixin
+ */
+(function(){
+  "use strict";
+
+  function escapeHtml() {
+    return this.replace(/[&<>"'\/]/g, function (s) {
+      var entityMap = {
+          "&": "&amp;",
+          "<": "&lt;",
+          ">": "&gt;",
+          '"': '&quot;',
+          "'": '&#39;',
+          "/": '&#x2F;'
+        };
+
+      return entityMap[s];
+    });
+  }
+
+  if (typeof(String.prototype.escapeHtml) !== 'function') {
+    String.prototype.escapeHtml = escapeHtml;
+  }
+})();
+
 const logElem = document.getElementById("__log");
 
 function streamLog (log) {
@@ -75,7 +112,7 @@ function streamLog (log) {
 	}).then(data => data.text()).then(data => {
 		let html = "";
 		
-		data.split("\\n").forEach(line => {
+		data.escapeHtml().split("\\n").forEach(line => {
 			let m = /^(\d{4}(-\d{2}){2} (\d{2}:){2}\d{2}) (\[[^\]]+\]){3}\[([^\]]+)\]\[([^\]]+)\]/i.exec(line);
 			if (m !== null) {
 				let colour = "";