From 8892b437a140739306ef88eab05c3bd24f41cc79 Mon Sep 17 00:00:00 2001
From: Martin Raifer <martin@raifer.tech>
Date: Thu, 18 Nov 2021 12:57:31 +0100
Subject: [PATCH] escape and format conflict details as localized html strings

these are in html because they contain links to osm user profiles
---
 modules/actions/merge_remote_changes.js | 17 +++++++++--------
 modules/core/uploader.js                |  3 ++-
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/modules/actions/merge_remote_changes.js b/modules/actions/merge_remote_changes.js
index ee4d1d143..2e8b748a2 100644
--- a/modules/actions/merge_remote_changes.js
+++ b/modules/actions/merge_remote_changes.js
@@ -1,5 +1,6 @@
 import deepEqual from 'fast-deep-equal';
 import { diff3Merge } from 'node-diff3';
+import { escape } from 'lodash';
 
 import { t } from '../core/localizer';
 import { actionDeleteMultiple } from './delete_multiple';
@@ -14,7 +15,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
 
 
     function user(d) {
-        return (typeof formatUser === 'function') ? formatUser(d) : d;
+        return (typeof formatUser === 'function') ? formatUser(d) : escape(d);
     }
 
 
@@ -31,7 +32,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
             return target.update({loc: remote.loc});
         }
 
-        _conflicts.push(t('merge_remote_changes.conflict.location', { user: user(remote.user) }));
+        _conflicts.push(t.html('merge_remote_changes.conflict.location', { user: { html: user(remote.user) } }));
         return target;
     }
 
@@ -64,7 +65,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
                 } else if (deepEqual(c.o, c.b)) {  // only changed locally
                     nodes.push.apply(nodes, c.a);
                 } else {       // changed both locally and remotely
-                    _conflicts.push(t('merge_remote_changes.conflict.nodelist', { user: user(remote.user) }));
+                    _conflicts.push(t.html('merge_remote_changes.conflict.nodelist', { user: { html: user(remote.user) } }));
                     break;
                 }
             }
@@ -118,7 +119,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
                 if (remote.visible) {
                     target = mergeLocation(remote, target);
                 } else {
-                    _conflicts.push(t('merge_remote_changes.conflict.deleted', { user: user(remote.user) }));
+                    _conflicts.push(t.html('merge_remote_changes.conflict.deleted', { user: { html: user(remote.user) } }));
                 }
 
                 if (_conflicts.length !== ccount) break;
@@ -149,7 +150,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
             return target.update({members: remote.members});
         }
 
-        _conflicts.push(t('merge_remote_changes.conflict.memberlist', { user: user(remote.user) }));
+        _conflicts.push(t.html('merge_remote_changes.conflict.memberlist', { user: { html: user(remote.user) } }));
         return target;
     }
 
@@ -176,8 +177,8 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
 
             if (o[k] !== b[k] && a[k] !== b[k]) {    // changed remotely..
                 if (o[k] !== a[k]) {      // changed locally..
-                    _conflicts.push(t('merge_remote_changes.conflict.tags',
-                        { tag: k, local: a[k], remote: b[k], user: user(remote.user) }));
+                    _conflicts.push(t.html('merge_remote_changes.conflict.tags',
+                        { tag: k, local: a[k], remote: b[k], user: { html: user(remote.user) } }));
 
                 } else {                  // unchanged locally, accept remote change..
                     if (b.hasOwnProperty(k)) {
@@ -224,7 +225,7 @@ export function actionMergeRemoteChanges(id, localGraph, remoteGraph, discardTag
                 return graph.replace(target);
 
             } else {
-                _conflicts.push(t('merge_remote_changes.conflict.deleted', { user: user(remote.user) }));
+                _conflicts.push(t.html('merge_remote_changes.conflict.deleted', { user: { html: user(remote.user) } }));
                 return graph;  // do nothing
             }
         }
diff --git a/modules/core/uploader.js b/modules/core/uploader.js
index a3e3af74d..605a26c43 100644
--- a/modules/core/uploader.js
+++ b/modules/core/uploader.js
@@ -1,4 +1,5 @@
 import { dispatch as d3_dispatch } from 'd3-dispatch';
+import { escape } from 'lodash-es';
 
 import { fileFetcher } from './file_fetcher';
 import { actionDiscardTags } from '../actions/discard_tags';
@@ -218,7 +219,7 @@ export function coreUploader(context) {
                 };
             }
             function formatUser(d) {
-                return '<a href="' + osm.userURL(d) + '" target="_blank">' + d + '</a>';
+                return '<a href="' + osm.userURL(d) + '" target="_blank">' + escape(d) + '</a>';
             }
             function entityName(entity) {
                 return utilDisplayName(entity) || (utilDisplayType(entity.id) + ' ' + entity.id);