diff --git a/modules/actions/merge_remote_changes.js b/modules/actions/merge_remote_changes.js
index ee4d1d143..2e8b748a2 100644
--- a/modules/actions/merge_remote_changes.js
+++ b/modules/actions/merge_remote_changes.js
@@ -1,5 +1,6 @@
import deepEqual from 'fast-deep-equal';
import { diff3Merge } from 'node-diff3';
+import { escape } from 'lodash';
import { t } from '../core/localizer';
import { actionDeleteMultiple } from './delete_multiple';
@@ -14,7 +15,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
function user(d) {
- return (typeof formatUser === 'function') ? formatUser(d) : d;
+ return (typeof formatUser === 'function') ? formatUser(d) : escape(d);
}
@@ -31,7 +32,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
return target.update({loc: remote.loc});
}
- _conflicts.push(t('merge_remote_changes.conflict.location', { user: user(remote.user) }));
+ _conflicts.push(t.html('merge_remote_changes.conflict.location', { user: { html: user(remote.user) } }));
return target;
}
@@ -64,7 +65,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
} else if (deepEqual(c.o, c.b)) { // only changed locally
nodes.push.apply(nodes, c.a);
} else { // changed both locally and remotely
- _conflicts.push(t('merge_remote_changes.conflict.nodelist', { user: user(remote.user) }));
+ _conflicts.push(t.html('merge_remote_changes.conflict.nodelist', { user: { html: user(remote.user) } }));
break;
}
}
@@ -118,7 +119,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
if (remote.visible) {
target = mergeLocation(remote, target);
} else {
- _conflicts.push(t('merge_remote_changes.conflict.deleted', { user: user(remote.user) }));
+ _conflicts.push(t.html('merge_remote_changes.conflict.deleted', { user: { html: user(remote.user) } }));
}
if (_conflicts.length !== ccount) break;
@@ -149,7 +150,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
return target.update({members: remote.members});
}
- _conflicts.push(t('merge_remote_changes.conflict.memberlist', { user: user(remote.user) }));
+ _conflicts.push(t.html('merge_remote_changes.conflict.memberlist', { user: { html: user(remote.user) } }));
return target;
}
@@ -176,8 +177,8 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
if (o[k] !== b[k] && a[k] !== b[k]) { // changed remotely..
if (o[k] !== a[k]) { // changed locally..
- _conflicts.push(t('merge_remote_changes.conflict.tags',
- { tag: k, local: a[k], remote: b[k], user: user(remote.user) }));
+ _conflicts.push(t.html('merge_remote_changes.conflict.tags',
+ { tag: k, local: a[k], remote: b[k], user: { html: user(remote.user) } }));
} else { // unchanged locally, accept remote change..
if (b.hasOwnProperty(k)) {
@@ -224,7 +225,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
return graph.replace(target);
} else {
- _conflicts.push(t('merge_remote_changes.conflict.deleted', { user: user(remote.user) }));
+ _conflicts.push(t.html('merge_remote_changes.conflict.deleted', { user: { html: user(remote.user) } }));
return graph; // do nothing
}
}
diff --git a/modules/core/uploader.js b/modules/core/uploader.js
index a3e3af74d..605a26c43 100644
--- a/modules/core/uploader.js
+++ b/modules/core/uploader.js
@@ -1,4 +1,5 @@
import { dispatch as d3_dispatch } from 'd3-dispatch';
+import { escape } from 'lodash-es';
import { fileFetcher } from './file_fetcher';
import { actionDiscardTags } from '../actions/discard_tags';
@@ -218,7 +219,7 @@ export function coreUploader(context) {
};
}
function formatUser(d) {
- return '' + d + '';
+ return '' + escape(d) + '';
}
function entityName(entity) {
return utilDisplayName(entity) || (utilDisplayType(entity.id) + ' ' + entity.id);