From eb2c5797cb756ea32a623a15e2e29878321d5316 Mon Sep 17 00:00:00 2001
From: Elijah Steres <elijahsteres@gmail.com>
Date: Wed, 6 Jan 2021 14:14:19 -0500
Subject: [PATCH 1/2] Fix js injection vulnerability

---
 templates/game_box.html | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/templates/game_box.html b/templates/game_box.html
index c4d1d1d..d94ac25 100644
--- a/templates/game_box.html
+++ b/templates/game_box.html
@@ -5,18 +5,18 @@ src={% if state.bases[number] %}"/static/img/base_filled.png" alt="{{state.bases
 {% if number <= state.outs %}/static/img/out_out.png{% else %}/static/img/out_in.png{% endif %}
 {%- endmacro %}
 <div class="header">
-    <div class="inning">Inning: {% if state.display_top_of_inning == true %}🔼{% else %}🔽{% endif %} {{ state.display_inning }}/{{ state.max_innings }}</div>
-    <div class="title">{{ state.title }}</div>
-    <div class="weather">{{ state.weather_emoji }} {{ state.weather_text }}</div>
+    <div class="inning">Inning: {% if state.display_top_of_inning == true %}🔼{% else %}🔽{% endif %} {{ state.display_inning | escape }}/{{ state.max_innings | escape }}</div>
+    <div class="title">{{ state.title  | escape }}</div>
+    <div class="weather">{{ state.weather_emoji | escape }} {{ state.weather_text  | escape }}</div>
 </div>
 <div class="body">
     <div class="teams">
         <div class="team">
-            <div class="team_name">{{ state.away_name }}</div>
+            <div class="team_name">{{ state.away_name | escape }}</div>
             <div class="score">{{ state.away_score }}</div>
         </div>
         <div class="team">
-            <div class="team_name">{{ state.home_name }}</div>
+            <div class="team_name">{{ state.home_name | escape }}</div>
             <div class="score">{{ state.home_score }}</div>
         </div>
     </div>
@@ -38,16 +38,16 @@ src={% if state.bases[number] %}"/static/img/base_filled.png" alt="{{state.bases
     </div>
     <div class="players">
         <div class="player_type">PITCHER</div>
-        <div class="player_name pitcher_name">{{ state.pitcher }}</div>
+        <div class="player_name pitcher_name">{{ state.pitcher | escape }}</div>
         <div class="player_type">BATTER</div>
-        <div class="player_name batter_name">{{ state.batter }}</div>
+        <div class="player_name batter_name">{{ state.batter | escape }}</div>
     </div>
     <div class="update">
-        <div class="update_emoji">{{ state.update_emoji }}</div>
-        <div class="update_text">{{ state.update_text }}</div>
+        <div class="update_emoji">{{ state.update_emoji | escape }}</div>
+        <div class="update_text">{{ state.update_text | escape }}</div>
     </div>
 </div>
 <div class="footer">
-    <div class="batting">{% if state.display_top_of_inning == true %}{{ state.away_name }}{% else %}{{ state.home_name }}{% endif %} batting.</div>
-    <div class="leagueoruser">{{ state.leagueoruser }} (<a href="/game?timestamp={{ timestamp }}">share</a>)</div>
+    <div class="batting">{% if state.display_top_of_inning == true %}{{ state.away_name | escape }}{% else %}{{ state.home_name | escape }}{% endif %} batting.</div>
+    <div class="leagueoruser">{{ state.leagueoruser | escape }} (<a href="/game?timestamp={{ timestamp }}">share</a>)</div>
 </div>
\ No newline at end of file

From c931733ad17f15363bd1bbb48911fc0a87bf5833 Mon Sep 17 00:00:00 2001
From: Elijah Steres <elijahsteres@gmail.com>
Date: Wed, 6 Jan 2021 15:20:46 -0500
Subject: [PATCH 2/2] forgot about leagues, whoops

---
 static/js/grid_loader.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/static/js/grid_loader.js b/static/js/grid_loader.js
index f203bd7..39ba154 100644
--- a/static/js/grid_loader.js
+++ b/static/js/grid_loader.js
@@ -88,11 +88,20 @@ const insertGame = (gridboxnum, game) => {
 const insertLeague = (league) => {
     var btn = document.createElement("BUTTON");
     btn.className = "filter";
-    btn.innerHTML = league;
+    btn.innerHTML = escapeHtml(league);
     $('#filters').append(btn);
     return btn;
 }
 
+function escapeHtml(unsafe) {
+    return unsafe
+         .replace(/&/g, "&amp;")
+         .replace(/</g, "&lt;")
+         .replace(/>/g, "&gt;")
+         .replace(/"/g, "&quot;")
+         .replace(/'/g, "&#039;");
+ }
+
 const clearBox = (box) => {
     box.className = "emptyslot";
     box.timestamp = null;