From 47bf1d1930038225dd03e4d8dbc53692f5323c16 Mon Sep 17 00:00:00 2001
From: FurWaz <fur.waz06@gmail.com>
Date: Wed, 5 Apr 2023 22:01:21 +0200
Subject: [PATCH] Fixed weird non-xss injection problem modifications

---
 src/frontend/src/views/TripsNew.vue | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/frontend/src/views/TripsNew.vue b/src/frontend/src/views/TripsNew.vue
index d3c28ef3..07acfd17 100644
--- a/src/frontend/src/views/TripsNew.vue
+++ b/src/frontend/src/views/TripsNew.vue
@@ -558,7 +558,14 @@ export default {
             if (!data) return false;
             let startDate = "";
 
-            const stylize = str => `<span class="text-slate-600 dark:text-slate-200 font-bold">${str}</span>`;
+            const stylize = str => {
+                if (!str) return "";
+                
+                const span = document.createElement("span");
+                span.classList.add("text-slate-600", "dark:text-slate-200", "font-bold");
+                span.innerText = str;
+                return span.outerHTML;
+            };
             const getDate = date => {
                 if (!date) return undefined;
                 const strDate = new Date(date).toLocaleDateString();
@@ -567,8 +574,13 @@ export default {
             };
             const getTime = date => !date ? undefined: new Date(date).toLocaleTimeString().substring(0, 5);
             const formatString = (str, ...args) => {
+                let shouldStylize = true;
+                if (typeof args[args.length -1] === 'boolean' && args[args.length -1] === false)
+                    shouldStylize = false;
                 return str.replace(/\{(\d+)\}/g, (match, number) => {
-                    return stylize(typeof args[number] != 'undefined' ? args[number] : match);
+                    return shouldStylize
+                        ? stylize(typeof args[number] != 'undefined' ? args[number] : match)
+                        : ( typeof args[number] != 'undefined' ? args[number] : match);
                 });
             }
 
@@ -619,7 +631,8 @@ export default {
 
             desc += formatString(
                 data.description == ""? Lang.CurrentLang.CONFIRM_TRIP_NO_INFOS+".": Lang.CurrentLang.CONFIRM_TRIP_INFOS,
-                "\n" + data.description.split("\n").map(l => stylize(l)).join("\n")
+                "\n" + data.description.split("\n").map(l => stylize(l)).join("\n"),
+                false
             );
 
             const lines = desc.split("\n");
@@ -632,7 +645,7 @@ export default {
                     p.classList.add("mt-4");
                     text = line.substring(1);
                 }
-                p.innerText = text;
+                p.innerHTML = text;
                 tripDesc.appendChild(p);
             });
 
-- 
GitLab