From d5032404ddc0a977d6d3272bd405e4e1a1174039 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <clokep@gmail.com>
Date: Sat, 27 Jun 2020 11:54:03 +0300
Subject: [PATCH] Bug 1644024 - Properly escape HTML in topics. r=khushil
 DONTBUILD

---
 chat/modules/jsProtoHelper.jsm  | 18 ++++++++++++++++--
 chat/protocols/irc/ircUtils.jsm |  2 +-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/chat/modules/jsProtoHelper.jsm b/chat/modules/jsProtoHelper.jsm
index c8300bb640..7c67964d39 100644
--- a/chat/modules/jsProtoHelper.jsm
+++ b/chat/modules/jsProtoHelper.jsm
@@ -31,6 +31,11 @@ XPCOMUtils.defineLazyGetter(this, "_", () =>
   l10nHelper("chrome://chat/locale/conversations.properties")
 );
 
+XPCOMUtils.defineLazyGetter(this, "TXTToHTML", function() {
+  let cs = Cc["@mozilla.org/txttohtmlconv;1"].getService(Ci.mozITXTToHTMLConv);
+  return aTXT => cs.scanTXT(aTXT, cs.kEntities);
+});
+
 var GenericAccountPrototype = {
   __proto__: ClassInfo("prplIAccount", "generic account object"),
   get wrappedJSObject() {
@@ -764,6 +769,15 @@ var GenericConvChatPrototype = {
   get topicSetter() {
     return this._topicSetter;
   },
+  /**
+   * Set the topic of a conversation.
+   *
+   * @param {string} aTopic - The new topic. If an update message is sent to
+   *   the conversation, this will be HTML escaped before being sent.
+   * @param {string} aTopicSetter - The user who last modified the topic.
+   * @param {string} aQuiet - If false, a message notifying about the topic
+   *   change will be sent to the conversation.
+   */
   setTopic(aTopic, aTopicSetter, aQuiet) {
     // Only change the topic if the topic and/or topic setter has changed.
     if (
@@ -786,14 +800,14 @@ var GenericConvChatPrototype = {
     let message;
     if (aTopicSetter) {
       if (aTopic) {
-        message = _("topicChanged", aTopicSetter, aTopic);
+        message = _("topicChanged", aTopicSetter, TXTToHTML(aTopic));
       } else {
         message = _("topicCleared", aTopicSetter);
       }
     } else {
       aTopicSetter = null;
       if (aTopic) {
-        message = _("topicSet", this.name, aTopic);
+        message = _("topicSet", this.name, TXTToHTML(aTopic));
       } else {
         message = _("topicNotSet", this.name);
       }
diff --git a/chat/protocols/irc/ircUtils.jsm b/chat/protocols/irc/ircUtils.jsm
index d1ba036e5f..4958b8736f 100644
--- a/chat/protocols/irc/ircUtils.jsm
+++ b/chat/protocols/irc/ircUtils.jsm
@@ -55,7 +55,7 @@ var CTCP_TAGS_EXP = new RegExp("[" + Object.keys(CTCP_TAGS).join("") + "]");
 // Remove all CTCP formatting characters.
 function ctcpFormatToText(aString) {
   let next,
-    input = TXTToHTML(aString),
+    input = aString,
     output = "",
     length;