Escape input, fixes #3990

resources/assets/js/components/transactions/AccountSelect.vue

@@ -135,7 +135,17 @@ export default {
         aSyncFunction: function (query, done) {
           axios.get(this.accountAutoCompleteURI + query)
               .then(res => {
-                done(res.data);
+                // loop over data
+                let escapedData = [];
+                let current;
+                for (const key in res.data) {
+                  if (res.data.hasOwnProperty(key) && /^0$|^[1-9]\d*$/.test(key) && key <= 4294967294) {
+                    current = res.data[key];
+                    current.description = this.escapeHtml(res.data[key].description)
+                    escapedData.push(current);
+                  }
+                }
+                done(escapedData);
               })
               .catch(err => {
                 // any error handler

resources/assets/js/components/transactions/Category.vue

@@ -94,7 +94,17 @@ export default {
     aSyncFunction: function (query, done) {
       axios.get(this.categoryAutoCompleteURI + query)
           .then(res => {
-            done(res.data);
+            // loop over data
+            let escapedData = [];
+            let current;
+            for (const key in res.data) {
+              if (res.data.hasOwnProperty(key) && /^0$|^[1-9]\d*$/.test(key) && key <= 4294967294) {
+                current = res.data[key];
+                current.description = this.escapeHtml(res.data[key].description)
+                escapedData.push(current);
+              }
+            }
+            done(escapedData);
           })
           .catch(err => {
             // any error handler

resources/assets/js/components/transactions/TransactionDescription.vue

@@ -83,12 +83,41 @@ export default {
     aSyncFunction: function (query, done) {
       axios.get(this.descriptionAutoCompleteURI + query)
           .then(res => {
-            done(res.data);
+
+            // loop over data
+            let escapedData = [];
+            let current;
+            for (const key in res.data) {
+              if (res.data.hasOwnProperty(key) && /^0$|^[1-9]\d*$/.test(key) && key <= 4294967294) {
+                current = res.data[key];
+                current.description = this.escapeHtml(res.data[key].description)
+                escapedData.push(current);
+              }
+            }
+            done(escapedData);
           })
           .catch(err => {
             // any error handler
           })
     },
+    escapeHtml: function (string) {
+
+      let entityMap = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#39;',
+        '/': '&#x2F;',
+        '`': '&#x60;',
+        '=': '&#x3D;'
+      };
+
+      return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap(s) {
+        return entityMap[s];
+      });
+
+    },
     search: function (input) {
       return ['ab', 'cd'];
     },