Merge pull request #1022 from mrmr1993/HTMLEscaping

Fix HTML escaping issues

2 files changed, 5 insertions, 3 deletions

diff --git a/background_scripts/completion.coffee b/background_scripts/completion.coffee
index 92e325e1..8b30dc43 100644
--- a/background_scripts/completion.coffee
+++ b/background_scripts/completion.coffee
@@ -71,7 +71,9 @@ class Suggestion
   # Wraps each occurence of the query terms in the given string in a <span>.
   highlightTerms: (string) ->
     ranges = []
-    for term in @queryTerms
+    # Escape the terms before highlighting
+    escapedTerms = @queryTerms.map (oldTerm) -> Utils.escapeHtml(oldTerm)
+    for term in escapedTerms
       @pushMatchingRanges string, term, ranges
 
     return string if ranges.length == 0
diff --git a/content_scripts/vimium_frontend.coffee b/content_scripts/vimium_frontend.coffee
index a2139df6..b9666aa5 100644
--- a/content_scripts/vimium_frontend.coffee
+++ b/content_scripts/vimium_frontend.coffee
@@ -839,7 +839,7 @@ window.showHelpDialog = (html, fid) ->
 
   container.innerHTML = html
   container.getElementsByClassName("closeButton")[0].addEventListener("click", hideHelpDialog, false)
-  
+
   VimiumHelpDialog =
     # This setting is pulled out of local storage. It's false by default.
     getShowAdvancedCommands: -> settings.get("helpDialog_showAdvancedCommands")
@@ -908,7 +908,7 @@ HUD =
   show: (text) ->
     return unless HUD.enabled()
     clearTimeout(HUD._showForDurationTimerId)
-    HUD.displayElement().innerHTML = text
+    HUD.displayElement().innerText = text
     clearInterval(HUD._tweenId)
     HUD._tweenId = Tween.fade(HUD.displayElement(), 1.0, 150)
     HUD.displayElement().style.display = ""