From 6c79a19b2987feafe2dc1b4fe5871805c5df8fed Mon Sep 17 00:00:00 2001
From: Shariq Ansari <30859809+shariquerik@users.noreply.github.com>
Date: Wed, 25 Jan 2023 18:37:24 +0530
Subject: [PATCH] fix: escape html to get tooltip text (#167)

---
 src/cellmanager.js |  5 +++--
 src/utils.js       | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/cellmanager.js b/src/cellmanager.js
index 0b49729..83b1781 100644
--- a/src/cellmanager.js
+++ b/src/cellmanager.js
@@ -2,7 +2,8 @@ import {
     copyTextToClipboard,
     makeDataAttributeString,
     throttle,
-    linkProperties
+    linkProperties,
+    escapeHTML,
 } from './utils';
 import $ from './dom';
 import icons from './icons';
@@ -886,7 +887,7 @@ export default class CellManager {
         let textContent = div.textContent;
         textContent = textContent.replace(/\s+/g, ' ').trim();
 
-        cellContentHTML = cellContentHTML.replace('>', ` title="${textContent}">`);
+        cellContentHTML = cellContentHTML.replace('>', ` title="${escapeHTML(textContent)}">`);
 
         return cellContentHTML;
     }
diff --git a/src/utils.js b/src/utils.js
index 0899b1f..6366a5e 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -149,3 +149,19 @@ export function format(str, args) {
 
     return str;
 };
+
+export function escapeHTML(txt) {
+    if (!txt) return '';
+    let escapeHtmlMapping = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#39;',
+        '/': '&#x2F;',
+        '`': '&#x60;',
+        '=': '&#x3D;',
+    };
+
+    return String(txt).replace(/[&<>"'`=/]/g, (char) => escapeHtmlMapping[char] || char);
+};