Fixed missing HTML sanitization (#1)

It was possible to run arbitrary javascript from restoring a crafted teambuilder backup. Let me know if a Smogon bug report with clarification is needed. A sample: paste the following into the backup menu and restore, the effect is immediate. === [<script>alert("hi i'm from an arbitrary script!");</script>] Untitled 1 ===
smogon · Sep 21, 2024 · 6bc0641 · 6bc0641
1 parent 5512e76
commit 6bc0641
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/play.pokemonshowdown.com/js/client-teambuilder.js b/play.pokemonshowdown.com/js/client-teambuilder.js
@@ -494,7 +494,7 @@
 					// support dragging and dropping buttons.
 					buf += '<li><div name="edit" data-value="' + i + '" class="team';
 					if (team.capacity === 24) buf += ' pc-box';
-					buf += '" draggable="true">' + formatText + '<strong>' + BattleLog.escapeHTML(team.name) + '</strong><br /><small>';
+					buf += '" draggable="true">' + BattleLog.escapeHTML(formatText) + '<strong>' + BattleLog.escapeHTML(team.name) + '</strong><br /><small>';
 					buf += Storage.getTeamIcons(team);
 					buf += '</small></div><button name="edit" value="' + i + '"><i class="fa fa-pencil" aria-label="Edit" title="Edit (you can also just click on the team)"></i></button><button name="duplicate" value="' + i + '" title="Duplicate" aria-label="Duplicate"><i class="fa fa-clone"></i></button><button name="delete" value="' + i + '"><i class="fa fa-trash"></i> Delete</button></li>';