From b6c4045cb486fea4e7026a070123b970dd335b76 Mon Sep 17 00:00:00 2001
From: Lim Chee Aun <cheeaun@gmail.com>
Date: Wed, 17 Jan 2024 11:31:33 +0800
Subject: [PATCH] Escape HTML chars in composer highlights

This is very embarrassing, I know
---
 src/components/compose.jsx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/components/compose.jsx b/src/components/compose.jsx
index ba0d6afc..9d1e8ca7 100644
--- a/src/components/compose.jsx
+++ b/src/components/compose.jsx
@@ -133,7 +133,14 @@ const SCAN_RE = new RegExp(
 
 function highlightText(text, { maxCharacters = Infinity }) {
   // Accept text string, return formatted HTML string
-  let html = text;
+  // Escape all HTML special characters
+  let html = text
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+
   // Exceeded characters limit
   const { composerCharacterCount } = states;
   let leftoverHTML = '';