From 55c48d62fc0e5d284ee5b4a38c67cf9b20ff00a5 Mon Sep 17 00:00:00 2001
From: tophf <tophf@gmx.com>
Date: Fri, 7 Aug 2015 17:11:56 +0300
Subject: [PATCH] Editor: escape html in CSSLint report, limit message length

---
 edit.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/edit.js b/edit.js
index 6f6dc026..7b2c086c 100644
--- a/edit.js
+++ b/edit.js
@@ -859,13 +859,17 @@ function updateLintReport(cm, delay) {
 						delete oldMarkers[pos];
 					}
 					newMarkers[pos] = info.message;
+					var message = escapeHtml(info.message.replace(/ at line \d.+$/, ""));
+					if (message.length > 100) {
+						message = message.substr(0, 100) + "...";
+					}
 					return "<tr class='" + info.severity + "'>" +
 						"<td role='severity' class='CodeMirror-lint-marker-" + info.severity + "'>" +
 							info.severity + "</td>" +
 						"<td role='line'>" + (info.from.line+1) + "</td>" +
 						"<td role='sep'>:</td>" +
 						"<td role='col'>" + (info.from.ch+1) + "</td>" +
-						"<td role='message'>" + info.message.replace(/ at line \d.+$/, "") + "</td></tr>";
+						"<td role='message'>" + message + "</td></tr>";
 				}).join("") + "</tbody>";
 			cm.state.lint.markedLast = newMarkers;
 			fixedOldIssues |= Object.keys(oldMarkers).length > 0;
@@ -885,6 +889,10 @@ function updateLintReport(cm, delay) {
 			}
 		}
 	}
+	function escapeHtml(html) {
+		var chars = {"&": "&amp;", "<": "&lt;", ">": "&gt;", '"': '&quot;', "'": '&#39;', "/": '&#x2F;'};
+		return html.replace(/[&<>"'\/]/g, function(char) { return chars[char] });
+	}
 }
 
 function renderLintReport(blockChanged) {