From b506885eb1e4ad5f5b54a2863f175d168855d390 Mon Sep 17 00:00:00 2001
From: Florian Bruhin <me@the-compiler.org>
Date: Sun, 29 Nov 2020 14:53:59 +0100
Subject: Fix HTML-escaping of JavaScript messages

With f8309d995641a7eb6113c8b0bc4bbb1faa7e8a86, the conditional escaping
for Qt <= 5.11 was dropped. However, while doing so, I accidentally
thought that bug was about Qt *not* escaping messages in older versions,
while in reality it was the other way around... Thus, we now have to
unconditionally escape them, rather than not escaping them at all.
---
 qutebrowser/browser/shared.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/qutebrowser/browser/shared.py b/qutebrowser/browser/shared.py
index 193a2a0e0..9234e82d8 100644
--- a/qutebrowser/browser/shared.py
+++ b/qutebrowser/browser/shared.py
@@ -82,7 +82,7 @@ def javascript_confirm(url, js_msg, abort_on):
         raise CallSuper
 
     msg = 'From <b>{}</b>:<br/>{}'.format(html.escape(url.toDisplayString()),
-                                          js_msg)
+                                          html.escape(js_msg))
     urlstr = url.toString(QUrl.RemovePassword | QUrl.FullyEncoded)
     ans = message.ask('Javascript confirm', msg,
                       mode=usertypes.PromptMode.yesno,
@@ -99,7 +99,7 @@ def javascript_prompt(url, js_msg, default, abort_on):
         return (False, "")
 
     msg = '<b>{}</b> asks:<br/>{}'.format(html.escape(url.toDisplayString()),
-                                          js_msg)
+                                          html.escape(js_msg))
     urlstr = url.toString(QUrl.RemovePassword | QUrl.FullyEncoded)
     answer = message.ask('Javascript prompt', msg,
                          mode=usertypes.PromptMode.text,
@@ -122,7 +122,7 @@ def javascript_alert(url, js_msg, abort_on):
         return
 
     msg = 'From <b>{}</b>:<br/>{}'.format(html.escape(url.toDisplayString()),
-                                          js_msg)
+                                          html.escape(js_msg))
     urlstr = url.toString(QUrl.RemovePassword | QUrl.FullyEncoded)
     message.ask('Javascript alert', msg, mode=usertypes.PromptMode.alert,
                 abort_on=abort_on, url=urlstr)
-- 
cgit v1.2.3-54-g00ecf