From 26ac4e9125fe7d9209ab22b4bba3f81550344ea1 Mon Sep 17 00:00:00 2001
From: "Mr.doob" <info@mrdoob.com>
Date: Wed, 3 Jan 2018 13:39:33 -0800
Subject: [PATCH] Editor: Escape names.

---
 editor/js/Sidebar.Scene.js | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/editor/js/Sidebar.Scene.js b/editor/js/Sidebar.Scene.js
index dfb4c8ee72..363f9b6720 100644
--- a/editor/js/Sidebar.Scene.js
+++ b/editor/js/Sidebar.Scene.js
@@ -12,6 +12,17 @@ Sidebar.Scene = function ( editor ) {
 
 	// outliner
 
+	function escapeHTML( html ) {
+
+		return html
+			.replace( /&/g, '&amp;' )
+			.replace( /"/g, '&quot;' )
+			.replace( /'/g, '&#39;' )
+			.replace( /</g, '&lt;' )
+			.replace( />/g, '&gt;' );
+
+		}
+
 	function buildOption( object, draggable ) {
 
 		var option = document.createElement( 'div' );
@@ -45,15 +56,15 @@ Sidebar.Scene = function ( editor ) {
 
 	function buildHTML( object ) {
 
-		var html = '<span class="type ' + object.type + '"></span> ' + object.name;
+		var html = '<span class="type ' + object.type + '"></span> ' + escapeHTML( object.name );
 
 		if ( object instanceof THREE.Mesh ) {
 
 			var geometry = object.geometry;
 			var material = object.material;
 
-			html += ' <span class="type ' + geometry.type + '"></span> ' + geometry.name;
-			html += ' <span class="type ' + material.type + '"></span> ' + getMaterialName( material );
+			html += ' <span class="type ' + geometry.type + '"></span> ' + escapeHTML( geometry.name );
+			html += ' <span class="type ' + material.type + '"></span> ' + escapeHTML( getMaterialName( material ) );
 
 		}
 
-- 
GitLab