From 9bdee7afff8d2a7ad4c2d50048a53454cab5395e Mon Sep 17 00:00:00 2001
From: Elian Doran <contact@eliandoran.me>
Date: Sun, 22 Dec 2024 22:23:26 +0200
Subject: [PATCH] fix(client): unescaped HTML in bookmarked notes & folders

---
 .../app/widgets/buttons/bookmark_folder.js      | 17 +++++++++--------
 .../widgets/buttons/open_note_button_widget.js  |  2 +-
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/public/app/widgets/buttons/bookmark_folder.js b/src/public/app/widgets/buttons/bookmark_folder.js
index ab459788b..e627208b5 100644
--- a/src/public/app/widgets/buttons/bookmark_folder.js
+++ b/src/public/app/widgets/buttons/bookmark_folder.js
@@ -1,5 +1,6 @@
 import RightDropdownButtonWidget from "./right_dropdown_button.js";
 import linkService from "../../services/link.js";
+import utils from "../../services/utils.js";
 
 const DROPDOWN_TPL = `
 <div class="bookmark-folder-widget">
@@ -11,40 +12,40 @@ const DROPDOWN_TPL = `
             font-size: 1.2rem;
             overflow: auto;
         }
-        
+
         .bookmark-folder-widget ul {
             padding: 0;
             list-style-type: none;
         }
-        
+
         .bookmark-folder-widget .note-link {
             display: block;
             padding: 5px 10px 5px 5px;
         }
-        
+
         .bookmark-folder-widget .note-link:hover {
             background-color: var(--accented-background-color);
             text-decoration: none;
         }
-        
+
         .dropdown-menu .bookmark-folder-widget a:hover {
             text-decoration: none;
             background: transparent !important;
         }
-        
+
         .bookmark-folder-widget li .note-link {
             padding-left: 35px;
         }
     </style>
-    
+
     <div class="parent-note"></div>
-    
+
     <ul class="children-notes"></ul>
 </div>`;
 
 export default class BookmarkFolderWidget extends RightDropdownButtonWidget {
     constructor(note) {
-        super(note.title, note.getIcon(), DROPDOWN_TPL);
+        super(utils.escapeHtml(note.title), note.getIcon(), DROPDOWN_TPL);
 
         this.note = note;
     }
diff --git a/src/public/app/widgets/buttons/open_note_button_widget.js b/src/public/app/widgets/buttons/open_note_button_widget.js
index 98f53248a..fe8c476c9 100644
--- a/src/public/app/widgets/buttons/open_note_button_widget.js
+++ b/src/public/app/widgets/buttons/open_note_button_widget.js
@@ -9,7 +9,7 @@ export default class OpenNoteButtonWidget extends OnClickButtonWidget {
 
         this.noteToOpen = noteToOpen;
 
-        this.title(() => this.noteToOpen.title)
+        this.title(() => utils.escapeHtml(this.noteToOpen.title))
             .icon(() => this.noteToOpen.getIcon())
             .onClick((widget, evt) => this.launch(evt))
             .onAuxClick((widget, evt) => this.launch(evt))