Escape some strings

To avoid XSS injection Change-Id: I767cdffcff48545f9aec400b53eca6944130513d

Escape some strings
To avoid XSS injection Change-Id: I767cdffcff48545f9aec400b53eca6944130513d
9725a83d · Jeffrey I. Schiller · dba889f8 · 9725a83d
Commit 9725a83d authored Sep 22, 2019 by Jeffrey I. Schiller
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

appinventor/appengine/src/com/google/appinventor/client/editor/simple/components/MockComponent.java ...ventor/client/editor/simple/components/MockComponent.java +2 -1

No files found.
--- a/appinventor/appengine/src/com/google/appinventor/client/editor/simple/components/MockComponent.java
+++ b/appinventor/appengine/src/com/google/appinventor/client/editor/simple/components/MockComponent.java
@@ -54,6 +54,7 @@ import com.google.gwt.event.dom.client.TouchMoveEvent;
 import com.google.gwt.event.dom.client.TouchStartEvent;
 import com.google.gwt.event.shared.HandlerManager;
 import com.google.gwt.event.shared.HandlerRegistration;
+import com.google.gwt.safehtml.shared.SafeHtmlUtils;
 import com.google.gwt.user.client.Command;
 import com.google.gwt.user.client.DOM;
 import com.google.gwt.user.client.DeferredCommand;
@@ -775,7 +776,7 @@ public abstract class MockComponent extends Composite implements PropertyChangeL
    // used to get HTML for the iconImage. AbstractImagePrototype requires
    // an ImageResource, which we don't necessarily have.
    TreeItem itemNode = new TreeItem(
-        new HTML("<span>" + iconImage.getElement().getString() + getName() + "</span>")) {
+        new HTML("<span>" + iconImage.getElement().getString() + SafeHtmlUtils.htmlEscapeAllowEntities(getName()) + "</span>")) {
      @Override
      protected Focusable getFocusable() {
        return nullFocusable;