From dea86b7b59c16856f99aba56e72c43835e61a909 Mon Sep 17 00:00:00 2001
From: Gusted <williamzijl7@hotmail.com>
Date: Tue, 16 Nov 2021 11:53:41 +0100
Subject: [PATCH 1/5] Sanitize user-input on file name

- Sanitize user-input before it get passed into the DOM.
- Prevent things like "<iframe onload=alert(1)></iframe>" from being
executed. This isn't a XSS attack as the server seems to be santizing
the path as well.
---
 web_src/js/features/repo-editor.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web_src/js/features/repo-editor.js b/web_src/js/features/repo-editor.js
index 7bf401207ad13..f22057d86169f 100644
--- a/web_src/js/features/repo-editor.js
+++ b/web_src/js/features/repo-editor.js
@@ -106,7 +106,7 @@ export function initRepoEditor() {
     if (e.keyCode === 191) {
       parts = $(this).val().split('/');
       for (let i = 0; i < parts.length; ++i) {
-        value = parts[i];
+        value = encodeURIComponent(parts[i]);
         if (i < parts.length - 1) {
           if (value.length) {
             $(`<span class="section"><a href="#">${value}</a></span>`).insertBefore($(this));

From 958c402834937e76c2b3862b6c10fe0228318892 Mon Sep 17 00:00:00 2001
From: Gusted <williamzijl7@hotmail.com>
Date: Tue, 16 Nov 2021 12:31:43 +0100
Subject: [PATCH 2/5] Use .text()

---
 web_src/js/features/repo-editor.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web_src/js/features/repo-editor.js b/web_src/js/features/repo-editor.js
index f22057d86169f..40508d6145871 100644
--- a/web_src/js/features/repo-editor.js
+++ b/web_src/js/features/repo-editor.js
@@ -106,10 +106,10 @@ export function initRepoEditor() {
     if (e.keyCode === 191) {
       parts = $(this).val().split('/');
       for (let i = 0; i < parts.length; ++i) {
-        value = encodeURIComponent(parts[i]);
+        value = parts[i];
         if (i < parts.length - 1) {
           if (value.length) {
-            $(`<span class="section"><a href="#">${value}</a></span>`).insertBefore($(this));
+            $(`<span class="section"><a href="#"></a></span>`).text(value).insertBefore($(this));
             $('<div class="divider"> / </div>').insertBefore($(this));
           }
         } else {

From d3d2f38f95d0adcd2b12205ef3cc3c93e68ee9ca Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Tue, 16 Nov 2021 19:35:51 +0800
Subject: [PATCH 3/5] Update repo-editor.js

---
 web_src/js/features/repo-editor.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web_src/js/features/repo-editor.js b/web_src/js/features/repo-editor.js
index 40508d6145871..75f56bf643b85 100644
--- a/web_src/js/features/repo-editor.js
+++ b/web_src/js/features/repo-editor.js
@@ -109,7 +109,7 @@ export function initRepoEditor() {
         value = parts[i];
         if (i < parts.length - 1) {
           if (value.length) {
-            $(`<span class="section"><a href="#"></a></span>`).text(value).insertBefore($(this));
+            $(`<span class="section"><a href="#">${encodeURIComponent(value)}</a></span>`).insertBefore($(this));
             $('<div class="divider"> / </div>').insertBefore($(this));
           }
         } else {

From a2035df604f6cafb75d55a7cf880eab203af78d5 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Tue, 16 Nov 2021 19:38:13 +0800
Subject: [PATCH 4/5] Update repo-editor.js

---
 web_src/js/features/repo-editor.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/web_src/js/features/repo-editor.js b/web_src/js/features/repo-editor.js
index 75f56bf643b85..5da9f59448875 100644
--- a/web_src/js/features/repo-editor.js
+++ b/web_src/js/features/repo-editor.js
@@ -109,7 +109,9 @@ export function initRepoEditor() {
         value = parts[i];
         if (i < parts.length - 1) {
           if (value.length) {
-            $(`<span class="section"><a href="#">${encodeURIComponent(value)}</a></span>`).insertBefore($(this));
+            const $span = $(`<span class="section"><a href="#"></a></span>`);
+            $span.find('a').text(value);
+            $span.insertBefore($(this));
             $('<div class="divider"> / </div>').insertBefore($(this));
           }
         } else {

From eb509162f1c727a8d17b76fd3522763a0c4a61af Mon Sep 17 00:00:00 2001
From: Gusted <williamzijl7@hotmail.com>
Date: Tue, 16 Nov 2021 13:23:07 +0100
Subject: [PATCH 5/5] use htmlEscape

---
 web_src/js/features/repo-editor.js | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/web_src/js/features/repo-editor.js b/web_src/js/features/repo-editor.js
index 5da9f59448875..571fed9d2738d 100644
--- a/web_src/js/features/repo-editor.js
+++ b/web_src/js/features/repo-editor.js
@@ -1,3 +1,4 @@
+import {htmlEscape} from 'escape-goat';
 import {initMarkupContent} from '../markup/content.js';
 import {createCodeEditor} from './codeeditor.js';
 
@@ -109,9 +110,7 @@ export function initRepoEditor() {
         value = parts[i];
         if (i < parts.length - 1) {
           if (value.length) {
-            const $span = $(`<span class="section"><a href="#"></a></span>`);
-            $span.find('a').text(value);
-            $span.insertBefore($(this));
+            $(`<span class="section"><a href="#">${htmlEscape(value)}</a></span>`).insertBefore($(this));
             $('<div class="divider"> / </div>').insertBefore($(this));
           }
         } else {