inject text instead of HTML name

bewest · bewest · commit 2e1ee38234ef · 2022-10-01T12:27:59.000-07:00
Avoid HTML injection called out by CODEQL.
diff --git a/lib/food/food.js b/lib/food/food.js
@@ -243,7 +243,7 @@ client.init(function loaded () {
             .append($('<img>').attr('title',translate('Edit record')).attr('src',icon_edit).attr('index',i).attr('class','fe_editimg'))
             .append($('<img>').attr('title',translate('Delete record')).attr('src',icon_remove).attr('index',i).attr('class','fe_removeimg'))
           )
-          .append($('<span>').addClass('width200px').append(foodlist[i].name))
+          .append($('<span>').addClass('width200px').text(foodlist[i].name))
           .append($('<span>').addClass('width150px').css('text-align','center').append(foodlist[i].portion))
           .append($('<span>').addClass('width50px').css('text-align','center').append(foodlist[i].unit))
           .append($('<span>').addClass('width100px').css('text-align','center').append(foodlist[i].carbs))

Original file line number	Diff line number	Diff line change
`@@ -243,7 +243,7 @@ client.init(function loaded () {`
`243`	`243`	`.append($('<img>').attr('title',translate('Edit record')).attr('src',icon_edit).attr('index',i).attr('class','fe_editimg'))`
`244`	`244`	`.append($('<img>').attr('title',translate('Delete record')).attr('src',icon_remove).attr('index',i).attr('class','fe_removeimg'))`
`245`	`245`	`)`
`246`		`- .append($('<span>').addClass('width200px').append(foodlist[i].name))`
	`246`	`+ .append($('<span>').addClass('width200px').text(foodlist[i].name))`
`247`	`247`	`.append($('<span>').addClass('width150px').css('text-align','center').append(foodlist[i].portion))`
`248`	`248`	`.append($('<span>').addClass('width50px').css('text-align','center').append(foodlist[i].unit))`
`249`	`249`	`.append($('<span>').addClass('width100px').css('text-align','center').append(foodlist[i].carbs))`