From 72ae8c2f9996d980ee9d160e07b9803a353aa5e8 Mon Sep 17 00:00:00 2001
From: Art Cancro <ajc@citadel.org>
Date: Sat, 16 Sep 2023 12:12:25 -0400
Subject: [PATCH] Sanitize better.  "&" is handled before "<" and ">" so it
 doesn't sanitize the &gt; and &lt; ampersands.

Ampersands are awesome.  They look a lot like treble clefs, don't they?  Actually they hate each other.
---
 webcit/static/instant_messenger.html | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/webcit/static/instant_messenger.html b/webcit/static/instant_messenger.html
index 67b3604a3..c43ac2426 100644
--- a/webcit/static/instant_messenger.html
+++ b/webcit/static/instant_messenger.html
@@ -102,9 +102,12 @@ function ShowNewMsg(gexp_xmlresponse) {
 	result = gexp_response.substring(0, breakpos-1);
 	the_message = gexp_response.substring(breakpos+1);
 	the_message = the_message.substring(0, the_message.indexOf('\n000'));
+
+	// Sanitize HTML in the message
+	the_message = the_message.replaceAll("&", "&amp;");
 	the_message = the_message.replaceAll("<", "&lt;");
 	the_message = the_message.replaceAll(">", "&gt;");
-	the_message = the_message.replaceAll("&", "&amp;");
+
 	sender = extract_token(result.substring(4), 3, '|');
 
 	// Figure out which div to write it to...
-- 
2.30.2