From 0b913d070a87bb7f02666610a7e41c1b45133dd1 Mon Sep 17 00:00:00 2001
From: "Glenn R. Martin" <222487+grmartin@users.noreply.github.com>
Date: Mon, 9 Jun 2025 00:02:01 -0400
Subject: [PATCH] Encoding HTML entities as well as ensuring no script tags
 slip by

---
 src/core/operations/ParseAITokens.mjs | 35 +++++++++++++++++----------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/src/core/operations/ParseAITokens.mjs b/src/core/operations/ParseAITokens.mjs
index b56d85d8..06d4c5f6 100644
--- a/src/core/operations/ParseAITokens.mjs
+++ b/src/core/operations/ParseAITokens.mjs
@@ -95,7 +95,8 @@ class ParseAITokens extends Operation {
 
         const tokenHtml = tokens.map((t, i) => {
             const tok =
-                t.replaceAll(" ", "\u00A0")
+                t.replace(/[\u00A0-\u9999<>&]/g, i => "&#"+i.charCodeAt(0)+";")
+                    .replaceAll(" ", "\u00A0")
                     .replaceAll("\n", "<newline>");
 
             const css = [
@@ -127,21 +128,29 @@ class ParseAITokens extends Operation {
     };
 
     /**
-     * Replace all space not starting within the HTML tag.
-     * @param {string} htmlString
-     * @returns {string}
+     * Replace spaces outside HTML tags and sanitize <script> tags.
+     * @param {string} htmlString - The input HTML string.
+     * @returns {string} - The sanitized and formatted HTML string.
      */
     replaceSpacesOutsideTags(htmlString) {
-        return htmlString.replace(/(<[^>]*?>)|(\s+)/g, function(match, tag, spaces) {
-            if (tag) {
-                return tag;
-            } else if (spaces) {
-                return "";
-            }
-        }).replace(/[\r\n]/g, "");
-    };
+        return htmlString
+            .replace(/(<script\b[^>]*>.*?<\/script>)|(<[^>]*?>)|(\s+)/gi, (match, scriptTag, htmlTag, spaces) => {
+                if (scriptTag) {
+                    // Sanitize the <script> tag by escaping it
+                    return scriptTag
+                        .replace(/</g, "&lt;")
+                        .replace(/>/g, "&gt;");
+                } else if (htmlTag) {
+                    // Leave other HTML tags unchanged
+                    return htmlTag;
+                } else if (spaces) {
+                    // Replace spaces outside tags
+                    return "";
+                }
+            })
+            .replace(/[\r\n]/g, "");
+    }
 
 }
 
 export default ParseAITokens;
-