From 7667028444abb66d5b249406c3d86330972b704c Mon Sep 17 00:00:00 2001
From: Gibran Chevalley <gibran.chevalley@infomaniak.com>
Date: Wed, 17 Jul 2024 15:17:18 +0200
Subject: [PATCH] Also escape strings as string literals inside injectScript
 and injectCss

---
 .../infomaniak/lib/richhtmleditor/Extensions.kt    | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/rich-html-editor/src/main/java/com/infomaniak/lib/richhtmleditor/Extensions.kt b/rich-html-editor/src/main/java/com/infomaniak/lib/richhtmleditor/Extensions.kt
index 691c110..ffd5fca 100644
--- a/rich-html-editor/src/main/java/com/infomaniak/lib/richhtmleditor/Extensions.kt
+++ b/rich-html-editor/src/main/java/com/infomaniak/lib/richhtmleditor/Extensions.kt
@@ -32,18 +32,21 @@ internal fun Context.readAsset(fileName: String): String {
 }
 
 internal fun WebView.injectScript(scriptCode: String, id: String? = null) {
-    val removePreviousId = id?.let {
+    val escapedStringLiteralId = id?.let { looselyEscapeAsStringLiteralForJs(it) }
+
+    val removePreviousId = escapedStringLiteralId?.let {
         """
-        var previousScript = document.getElementById(`$it`)
+        var previousScript = document.getElementById($it)
         if (previousScript) previousScript.remove()
         """.trimIndent()
     } ?: ""
+    val setId = escapedStringLiteralId?.let { "script.id = ${it};" } ?: ""
 
-    val setId = id?.let { "script.id = `${it}`;" } ?: ""
+    val escapedStringLiteralScriptCode = looselyEscapeAsStringLiteralForJs(scriptCode)
     val addScriptJs = """
         var script = document.createElement('script');
         script.type = 'text/javascript';
-        script.text = `${scriptCode}`;
+        script.text = $escapedStringLiteralScriptCode;
         $setId
 
         document.head.appendChild(script);
@@ -55,9 +58,10 @@ internal fun WebView.injectScript(scriptCode: String, id: String? = null) {
 }
 
 internal fun WebView.injectCss(css: String) {
+    val escapedStringLiteralCss = looselyEscapeAsStringLiteralForJs(css)
     val addCssJs = """
         var style = document.createElement('style');
-        style.textContent = `${css}`;
+        style.textContent = $escapedStringLiteralCss;
 
         document.head.appendChild(style);
         """.trimIndent()