Merge commit from fork

PromoFaux · web-flow · commit 4159aaade6b5 · 2025-10-25T10:08:44.000+01:00
HTML escape adlist URL and non-domain entried before printing it in gravity stream
diff --git a/scripts/js/gravity.js b/scripts/js/gravity.js
@@ -5,7 +5,7 @@
  *  This file is copyright under the latest version of the EUPL.
  *  Please see LICENSE file for your rights under this license. */
 
-/* global apiFailure:false */
+/* global apiFailure:false, utils:false */
 
 "use strict";
 
@@ -89,9 +89,11 @@ function parseLines(outputElement, text) {
   const lines = text.split(/(?=\r)/g);
 
   for (let line of lines) {
+    // Escape HTML to prevent XSS attacks (both in adlist URL and non-domain entries)
+    line = utils.escapeHtml(line);
     if (line[0] === "\r") {
       // This line starts with the "OVER" sequence. Replace them with "\n" before print
-      line = line.replaceAll("\r[K", "\n").replaceAll("\r", "\n");
+      line = line.replaceAll("\r\u001B[K", "\n").replaceAll("\r", "\n");
 
       // Last line from the textarea will be overwritten, so we remove it
       const lastLineIndex = outputElement.innerHTML.lastIndexOf("\n");
