From 0847a3f6a40fef45c715262b1af982612b838b90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?=
 <lorenz-dev@lgh-alumni.de>
Date: Tue, 9 Jun 2015 00:32:41 +0200
Subject: [PATCH] TEMP: cherry-pick escaping patch from #623

---
 js/filters.js        | 24 +++++++++++++++---------
 test/unit/filters.js |  2 +-
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/js/filters.js b/js/filters.js
index 3113c94..47e7b3a 100644
--- a/js/filters.js
+++ b/js/filters.js
@@ -30,13 +30,6 @@ weechat.filter('irclinky', ['$filter', function($filter) {
             return text;
         }
 
-        // First, escape entities to prevent escaping issues because it's a bad idea
-        // to parse/modify HTML with regexes, which we do a couple of lines down...
-        var entities = {"<": "&lt;", ">": "&gt;", '"': '&quot;', "'": '&#39;', "&": "&amp;", "/": '&#x2F;'};
-        text = text.replace(/[<>"'&\/]/g, function (char) {
-            return entities[char];
-        });
-
         // This regex in no way matches all IRC channel names (they could also begin with &, + or an
         // exclamation mark followed by 5 alphanumeric characters, and are bounded in length by 50).
         // However, it matches all *common* IRC channels while trying to minimise false positives.
@@ -73,6 +66,15 @@ weechat.filter('DOMfilter', ['$filter', '$sce', function($filter, $sce) {
             return text;
         }
 
+        var escape_html = function(text) {
+            // First, escape entities to prevent escaping issues because it's a bad idea
+            // to parse/modify HTML with regexes, which we do a couple of lines down...
+            var entities = {"<": "&lt;", ">": "&gt;", '"': '&quot;', "'": '&#39;', "&": "&amp;", "/": '&#x2F;'};
+            return text.replace(/[<>"'&\/]/g, function (char) {
+                return entities[char];
+            });
+        };
+
         // hacky way to pass extra arguments without using .apply, which
         // would require assembling an argument array. PERFORMANCE!!!
         var extraArgument = (arguments.length > 2) ? arguments[2] : null;
@@ -85,8 +87,12 @@ weechat.filter('DOMfilter', ['$filter', '$sce', function($filter, $sce) {
         // Recursive DOM-walking function applying the filter to the text nodes
         var process = function(node) {
             if (node.nodeType === 3) { // text node
-                var value = filterFunction(node.nodeValue, extraArgument, thirdArgument);
-                if (value !== node.nodeValue) {
+                // apply the filter to *escaped* HTML, and only commit changes if
+                // it changed the escaped value. This is because setting the result
+                // as innerHTML causes it to be unescaped.
+                var input = escape_html(node.nodeValue);
+                var value = filterFunction(input, extraArgument, thirdArgument);
+                if (value !== input) {
                     // we changed something. create a new node to replace the current one
                     // we could also only add its children but that would probably incur
                     // more overhead than it would gain us
diff --git a/test/unit/filters.js b/test/unit/filters.js
index 934996e..c8ea29e 100644
--- a/test/unit/filters.js
+++ b/test/unit/filters.js
@@ -20,7 +20,7 @@ describe('Filters', function() {
         }));
 
         it('should not mess up IRC channels surrounded by HTML entities', inject(function(irclinkyFilter) {
-            expect(irclinkyFilter('<"#foo">')).toEqual('&lt;&quot;<a href="#" onclick="var $scope = angular.element(event.target).scope(); $scope.openBuffer(\'#foo&quot;&gt;\'); $scope.$apply();">#foo&quot;&gt;</a>');
+            expect(irclinkyFilter('<"#foo">')).toEqual('<"<a href="#" onclick="var $scope = angular.element(event.target).scope(); $scope.openBuffer(\'#foo">\'); $scope.$apply();">#foo"></a>');
         }));
     });