From bfd9f390671e18cc3b4af5c3798c7f5935430e2f Mon Sep 17 00:00:00 2001
From: Jon Atkins <github@jonatkins.com>
Date: Mon, 27 May 2013 00:35:56 +0100
Subject: [PATCH] add util function to escape strings for manual building of
 HTML, and use this for the portal title fix #319

---
 code/portal_detail_display.js | 2 +-
 code/utils_misc.js            | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/code/portal_detail_display.js b/code/portal_detail_display.js
index 03e80fcb..c3ba306b 100644
--- a/code/portal_detail_display.js
+++ b/code/portal_detail_display.js
@@ -54,7 +54,7 @@ window.renderPortalDetails = function(guid) {
   $('#portaldetails')
     .attr('class', TEAM_TO_CSS[getTeam(d)])
     .html(''
-      + '<h3 class="title">'+d.portalV2.descriptiveText.TITLE+'</h3>'
+      + '<h3 class="title">'+escapeHtmlSpecialChars(d.portalV2.descriptiveText.TITLE)+'</h3>'
       + '<span class="close" onclick="unselectOldPortal();" title="Close">X</span>'
       // help cursor via ".imgpreview img"
       + '<div class="imgpreview" '+imgTitle+' style="background-image: url('+img+')">'
diff --git a/code/utils_misc.js b/code/utils_misc.js
index db072e06..07ba33e8 100644
--- a/code/utils_misc.js
+++ b/code/utils_misc.js
@@ -365,6 +365,14 @@ window.escapeJavascriptString = function(str) {
   return (str+'').replace(/[\\"']/g,'\\$&');
 }
 
+//escape special characters, such as tags
+window.escapeHtmlSpecialChars = function(str) {
+  var div = document.createElement(div);
+  var text = document.createTextNode(str);
+  div.appendChild(text);
+  return div.innerHTML;
+}
+
 window.prettyEnergy = function(nrg) {
   return nrg> 1000 ? Math.round(nrg/1000) + ' k': nrg;
 }