From 845e69fb96bc3e3e006263d72966c0c2067ae179 Mon Sep 17 00:00:00 2001
From: Bernd Bestel <bernd@berrnd.de>
Date: Thu, 21 Apr 2022 21:32:28 +0200
Subject: [PATCH] Escape HTML when displaying recipes on /mealplan (references
 #1868)

---
 public/js/extensions.js   | 5 +++++
 public/viewjs/mealplan.js | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/public/js/extensions.js b/public/js/extensions.js
index 6375b668..1b48ae55 100644
--- a/public/js/extensions.js
+++ b/public/js/extensions.js
@@ -21,6 +21,11 @@ String.prototype.replaceAll = function(search, replacement)
 	return this.replace(new RegExp(search, "g"), replacement);
 };
 
+String.prototype.escapeHTML = function()
+{
+	return this.replace(/[&<>"'`=\/]/g, s => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;', '/': '&#x2F;', '`': '&#x60;', '=': '&#x3D;' })[s]);;
+};
+
 GetUriParam = function(key)
 {
 	var currentUri = window.location.search.substring(1);
diff --git a/public/viewjs/mealplan.js b/public/viewjs/mealplan.js
index b52954de..30dc94fa 100644
--- a/public/viewjs/mealplan.js
+++ b/public/viewjs/mealplan.js
@@ -139,6 +139,8 @@ $(".calendar").each(function()
 					return false;
 				}
 
+				recipe.name = recipe.name.escapeHTML();
+
 				var internalShadowRecipe = FindObjectInArrayByPropertyValue(internalRecipes, "name", mealPlanEntry.day + "#" + mealPlanEntry.id);
 				var resolvedRecipe = FindObjectInArrayByPropertyValue(recipesResolved, "recipe_id", internalShadowRecipe.id);