From 9b878c19d87c1c77e32f87bc1dde5c96102aee61 Mon Sep 17 00:00:00 2001
From: Bruno Wagner and Fabio Pio <bwagner+fpio@thoughtworks.com>
Date: Fri, 16 Jan 2015 19:30:02 -0200
Subject: Issue #233 plain text body now escapes html tags

---
 web-ui/app/js/helpers/view_helper.js | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'web-ui/app/js')

diff --git a/web-ui/app/js/helpers/view_helper.js b/web-ui/app/js/helpers/view_helper.js
index 01ab45ed..bb909cea 100644
--- a/web-ui/app/js/helpers/view_helper.js
+++ b/web-ui/app/js/helpers/view_helper.js
@@ -35,10 +35,33 @@ define(
     return textPlainBody.replace(/^(.*?)$/mg, '<p>$1</p>');
   }
 
+  function escapeHtmlTags (body) {
+
+    var escapeIndex = {
+      "&": "&amp;",
+      "<": "&lt;",
+      ">": "&gt;",
+      '"': '&quot;',
+      "'":'&#39;',
+      "/": '&#x2f;'
+
+    };
+
+    return body.replace(/["'<>\/&]/g, function(char){
+        return escapeIndex[char];
+    } )
+
+  }
+
+  function escapeHtmlAndAddParagraphs (body) {
+    var escapedBody = escapeHtmlTags(body);
+    return addParagraphsToPlainText(escapedBody);
+  }
+
   function formatMailBody (mail) {
     var body = mail.htmlBodyPart ?
                 htmlWhitelister.sanitize(mail.htmlBody, htmlWhitelister.tagPolicy) :
-                addParagraphsToPlainText(mail.textPlainBody);
+                escapeHtmlAndAddParagraphs(mail.textPlainBody);
     return $(body);
   }
 
-- 
cgit v1.2.3