From f0a556f004b0f32181f7d3cd2c9b9ea4fff9eca0 Mon Sep 17 00:00:00 2001
From: Anthony Dresser <andresse@microsoft.com>
Date: Tue, 3 Jul 2018 16:37:44 -0700
Subject: [PATCH] add quote to string escape (#1838)

---
 src/sql/base/common/strings.ts                | 21 +++++++++++++++++++
 src/sql/parts/grid/services/sharedServices.ts |  8 +++----
 .../parts/grid/views/query/query.component.ts |  7 ++++---
 3 files changed, 29 insertions(+), 7 deletions(-)
 create mode 100644 src/sql/base/common/strings.ts

diff --git a/src/sql/base/common/strings.ts b/src/sql/base/common/strings.ts
new file mode 100644
index 0000000000..121133862a
--- /dev/null
+++ b/src/sql/base/common/strings.ts
@@ -0,0 +1,21 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the Source EULA. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+'use strict';
+
+/**
+ * Converts HTML characters inside the string to use entities instead. Makes the string safe from
+ * being used e.g. in HTMLElement.innerHTML.
+ */
+export function escape(html: string): string {
+	return html.replace(/[<|>|&|"]/g, function (match) {
+		switch (match) {
+			case '<': return '&lt;';
+			case '>': return '&gt;';
+			case '&': return '&amp;';
+			case '"': return '&quot;';
+			default: return match;
+		}
+	});
+}
diff --git a/src/sql/parts/grid/services/sharedServices.ts b/src/sql/parts/grid/services/sharedServices.ts
index c02292730a..5065d3c0f3 100644
--- a/src/sql/parts/grid/services/sharedServices.ts
+++ b/src/sql/parts/grid/services/sharedServices.ts
@@ -3,7 +3,7 @@
  *  Licensed under the Source EULA. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import * as Strings from 'vs/base/common/strings';
+import { escape } from 'sql/base/common/strings';
 
 export class DBCellValue {
 	displayValue: string;
@@ -25,7 +25,7 @@ export function hyperLinkFormatter(row: number, cell: any, value: any, columnDef
 		valueToDisplay = 'NULL';
 		if (!value.isNull) {
 			cellClasses += ' xmlLink';
-			valueToDisplay = Strings.escape(value.displayValue);
+			valueToDisplay = escape(value.displayValue);
 			return `<a class="${cellClasses}" href="#" >${valueToDisplay}</a>`;
 		} else {
 			cellClasses += ' missing-value';
@@ -44,12 +44,12 @@ export function textFormatter(row: number, cell: any, value: any, columnDef: any
 	if (DBCellValue.isDBCellValue(value)) {
 		valueToDisplay = 'NULL';
 		if (!value.isNull) {
-			valueToDisplay = Strings.escape(value.displayValue.replace(/(\r\n|\n|\r)/g, ' '));
+			valueToDisplay = escape(value.displayValue.replace(/(\r\n|\n|\r)/g, ' '));
 		} else {
 			cellClasses += ' missing-value';
 		}
 	} else if (typeof value === 'string') {
-		valueToDisplay = Strings.escape(value);
+		valueToDisplay = escape(value);
 	}
 
 	return `<span title="${valueToDisplay}" class="${cellClasses}">${valueToDisplay}</span>`;
diff --git a/src/sql/parts/grid/views/query/query.component.ts b/src/sql/parts/grid/views/query/query.component.ts
index e94233ba42..8df91bf4b4 100644
--- a/src/sql/parts/grid/views/query/query.component.ts
+++ b/src/sql/parts/grid/views/query/query.component.ts
@@ -27,8 +27,9 @@ import { error } from 'sql/base/common/log';
 import { TabChild } from 'sql/base/browser/ui/panel/tab.component';
 import { clone, mixin } from 'sql/base/common/objects';
 import { IQueryEditorService } from 'sql/parts/query/common/queryEditorService';
+import { escape } from 'sql/base/common/strings';
 
-import * as strings from 'vs/base/common/strings';
+import { format } from 'vs/base/common/strings';
 import * as DOM from 'vs/base/browser/dom';
 import { StandardKeyboardEvent } from 'vs/base/browser/keyboardEvent';
 import { KeyCode } from 'vs/base/common/keyCodes';
@@ -60,7 +61,7 @@ export class QueryComponent extends GridParentComponent implements OnInit, OnDes
 
 	// create a function alias to use inside query.component
 	// tslint:disable-next-line:no-unused-variable
-	private stringsFormat: any = strings.format;
+	private stringsFormat: any = format;
 
 	// tslint:disable-next-line:no-unused-variable
 	private dataIcons: IGridIcon[] = [
@@ -302,7 +303,7 @@ export class QueryComponent extends GridParentComponent implements OnInit, OnDes
 						// Push row values onto end of gridData for slickgrid
 						gridData.push({
 							values: rows.rows[row].map(c => {
-								return mixin({ ariaLabel: c.displayValue }, c);
+								return mixin({ ariaLabel: escape(c.displayValue) }, c);
 							})
 						});
 					}