Escape all labels

frenkel · frenkel · commit 215363b86c12 · 2021-03-12T11:33:22.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -2,7 +2,7 @@
 name = "timer-for-harvest"
 description = "Timer for Harvest"
 homepage = "https://github.com/frenkel/timer-for-harvest"
-version = "0.3.5"
+version = "0.3.6"
 authors = ["Frank Groeneveld <frank@frankgroeneveld.nl>"]
 edition = "2018"
 readme = "README.md"
diff --git a/src/lib.rs b/src/lib.rs
@@ -557,16 +557,23 @@ pub fn parse_account_details(request: &str) -> (String, String, String) {
     )
 }
 
+pub fn escape_html(subject: &str) -> String {
+    subject
+        .replace("&", "&amp;")
+        .replace("<", "&lt;")
+        .replace(">", "&gt;")
+        .replace("\"", "&quot;")
+        .replace("'", "&#x27;")
+        .replace("`", "&#x60;")
+}
+
 pub fn format_timeentry_notes_for_list(n: &str, length: Option<usize>) -> std::string::String {
     let take: usize = match length {
         Some(value) => value,
         None => 80,
     };
 
-    let formatted: String = n
-        .replace("&", "&amp;")
-        .replace("<", "&lt;")
-        .replace(">", "&gt;")
+    let formatted: String = escape_html(n)
         .replace("\n\n", "\n")
         .replace("\n", " - ")
         .chars()
diff --git a/src/ui.rs b/src/ui.rs
@@ -289,9 +289,9 @@ impl Ui {
 
             let project_client = format!(
                 "<b>{}</b> ({})\n{} - {}",
-                &time_entry.project.name_and_code(),
-                &time_entry.client.name,
-                &time_entry.task.name,
+                &escape_html(&time_entry.project.name_and_code()),
+                &escape_html(&time_entry.client.name),
+                &escape_html(&time_entry.task.name),
                 &notes
             );
             let project_label = gtk::Label::new(Some(&project_client));
