From affd8062e2a3afc47d9856c8a533fc7ab0226aea Mon Sep 17 00:00:00 2001
From: zadam <zadam.apps@gmail.com>
Date: Mon, 26 Dec 2022 10:52:28 +0100
Subject: [PATCH] escape note titles in note map

---
 src/public/app/widgets/note_map.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/public/app/widgets/note_map.js b/src/public/app/widgets/note_map.js
index acacedae3..ccd659683 100644
--- a/src/public/app/widgets/note_map.js
+++ b/src/public/app/widgets/note_map.js
@@ -5,6 +5,9 @@ import hoistedNoteService from "../services/hoisted_note.js";
 import appContext from "../components/app_context.js";
 import NoteContextAwareWidget from "./note_context_aware_widget.js";
 import linkContextMenuService from "../menus/link_context_menu.js";
+import utils from "../services/utils.js";
+
+const esc = utils.escapeHtml;
 
 const TPL = `<div class="note-map-widget" style="position: relative;">
     <style>
@@ -102,7 +105,7 @@ export default class NoteMapWidget extends NoteContextAwareWidget {
                 ctx.arc(node.x, node.y, this.noteIdToSizeMap[node.id], 0, 2 * Math.PI, false);
                 ctx.fill();
             })
-            .nodeLabel(node => node.name)
+            .nodeLabel(node => esc(node.name))
             .maxZoom(7)
             .warmupTicks(30)
             .linkDirectionalArrowLength(5)
@@ -114,7 +117,7 @@ export default class NoteMapWidget extends NoteContextAwareWidget {
 
         if (this.mapType === 'link') {
             this.graph
-                .linkLabel(l => `${l.source.name} - <strong>${l.name}</strong> - ${l.target.name}`)
+                .linkLabel(l => `${esc(l.source.name)} - <strong>${esc(l.name)}</strong> - ${esc(l.target.name)}`)
                 .linkCanvasObject((link, ctx) => this.paintLink(link, ctx))
                 .linkCanvasObjectMode(() => "after");
         }