Escape Ampersands - fixes #3563

2018-02-13 16:43:07 +01:00 · 2018-02-13 16:43:07 +01:00 · a345815b57
commit a345815b57
parent 3ddc73b0a0
2 changed files with 13 additions and 6 deletions
--- a/openslides/motions/static/js/motions/diff.js
+++ b/openslides/motions/static/js/motions/diff.js
@ -185,17 +185,17 @@ angular.module('OpenSlidesApp.motions.diff', ['OpenSlidesApp.motions.lineNumberi
        };

        this._serializeDom = function(node, stripLineNumbers) {
-            if (node.nodeType == TEXT_NODE) {
+            if (node.nodeType === TEXT_NODE) {
                return node.nodeValue.replace(/</g, "&lt;").replace(/>/g, "&gt;");
            }
            if (stripLineNumbers && (
                lineNumberingService._isOsLineNumberNode(node) || lineNumberingService._isOsLineBreakNode(node))) {
                return '';
            }
-            if (node.nodeName == 'OS-LINEBREAK') {
+            if (node.nodeName === 'OS-LINEBREAK') {
                return '';
            }
-            if (node.nodeName == 'BR') {
+            if (node.nodeName === 'BR') {
                var br = '<BR';
                for (i = 0; i < node.attributes.length; i++) {
                    var attr = node.attributes[i];
@ -206,13 +206,13 @@ angular.module('OpenSlidesApp.motions.diff', ['OpenSlidesApp.motions.lineNumberi

            var html = this._serializeTag(node);
            for (var i = 0; i < node.childNodes.length; i++) {
-                if (node.childNodes[i].nodeType == TEXT_NODE) {
-                    html += node.childNodes[i].nodeValue.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+                if (node.childNodes[i].nodeType === TEXT_NODE) {
+                    html += node.childNodes[i].nodeValue.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
                } else if (!stripLineNumbers || (!lineNumberingService._isOsLineNumberNode(node.childNodes[i]) && !lineNumberingService._isOsLineBreakNode(node.childNodes[i]))) {
                    html += this._serializeDom(node.childNodes[i], stripLineNumbers);
                }
            }
-            if (node.nodeType != DOCUMENT_FRAGMENT_NODE) {
+            if (node.nodeType !== DOCUMENT_FRAGMENT_NODE) {
                html += '</' + node.nodeName + '>';
            }

--- a/tests/karma/motions/diff.service.test.js
+++ b/tests/karma/motions/diff.service.test.js
@ -300,6 +300,13 @@ describe('linenumbering', function () {
      expect(containsError).toBe(-1);
      expect(containsCorrectVersion > 0).toBe(true);
    });
+
+    it('keeps ampersands escaped', function() {
+        var pre = '<p>' + noMarkup(1) + 'foo &amp; bar</p>',
+            after = '<p>' + noMarkup(1) + 'foo &amp; bar ins</p>';
+        var merged = diffService.replaceLines(pre, after, 1, 2, true);
+      expect(merged).toBe('<P>foo &amp; bar ins</P>');
+    });
  });

  describe('detecting the type of change', function() {