From dfa970664dee4f38b18126ea23333328ef8fb3a4 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Mon, 25 Mar 2024 23:36:28 +0100
Subject: [PATCH] Escape text passed in collection sorting

Previously, the ID and title of tips and exercises newly added to the list were gathered from the DOM. While we keep this mechanism, we ensure to escape the text before reusing it.
---
 app/assets/javascripts/exercise_collections.js | 2 +-
 app/assets/javascripts/exercises.js            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/exercise_collections.js b/app/assets/javascripts/exercise_collections.js
index 786d0443..5c8f4b91 100644
--- a/app/assets/javascripts/exercise_collections.js
+++ b/app/assets/javascripts/exercise_collections.js
@@ -167,7 +167,7 @@ $(document).on('turbolinks:load', function() {
       }
 
       var addExercise = function (id, title) {
-        var exercise = {id: id, title: title}
+        var exercise = {id: _.escape(id), title: _.escape(title)}
         var collectionExercises = collectContainedExercises();
         if (collectionExercises.indexOf(exercise.id) === -1) {
           // only add exercises that are not already contained in the collection
diff --git a/app/assets/javascripts/exercises.js b/app/assets/javascripts/exercises.js
index c3724855..cb3ce863 100644
--- a/app/assets/javascripts/exercises.js
+++ b/app/assets/javascripts/exercises.js
@@ -225,7 +225,7 @@ $(document).on('turbolinks:load', function () {
         $('.remove-tip').on('click', removeTip);
 
         function addTip(id, title) {
-            const tip = {id: id, title: title}
+            const tip = {id: _.escape(id), title: _.escape(title)}
             const template =
                 '<div class="list-group-item d-block" data-tip-id=' + tip.id + ' data-id="">' +
                 '<span class="fa-solid fa-bars me-3"></span>' + tip.title +