From 6eb278356ca7b0ac7e9cba6067fcf077d2e3ad9a Mon Sep 17 00:00:00 2001
From: Paul <paul@sitepen.com>
Date: Thu, 23 Jan 2020 15:28:45 -0700
Subject: [PATCH] fixes potential xss by properly encoding xml

---
 xmpp/util.js | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/xmpp/util.js b/xmpp/util.js
index 02bb466626..1cf54413ff 100644
--- a/xmpp/util.js
+++ b/xmpp/util.js
@@ -2,9 +2,20 @@ dojo.provide("dojox.xmpp.util");
 dojo.require("dojox.string.Builder");
 dojo.require("dojox.encoding.base64");
 
+var xmlEntityMap = {
+	'&': '&amp;',
+	'>': '&gt;',
+	'<': '&lt;',
+	'\'': '&apos;',
+	'"': '&quot;'
+};
+var xmlEntityRegex = /(&|>|<|'|")/g;
+
 dojox.xmpp.util.xmlEncode = function(str) {
 	if(str) {
-		str = str.replace("&", "&amp;").replace(">", "&gt;").replace("<", "&lt;").replace("'", "&apos;").replace('"', "&quot;");
+		str = str.replace(xmlEntityRegex, function (match) {
+			return xmlEntityMap[match] || '';
+		})
 	}
 	return str;
 };
@@ -49,7 +60,7 @@ dojox.xmpp.util.encodeJid = function(jid) {
 };
 
 dojox.xmpp.util.decodeJid = function(jid) {
-	
+
 	jid = jid.replace(/\\([23][02367acef])/g, function(match) {
 			switch(match){
 				case "\\20" :
@@ -73,7 +84,7 @@ dojox.xmpp.util.decodeJid = function(jid) {
 			}
 			return "ARG";
 	});
-	
+
 	return jid;
 };
 
@@ -87,7 +98,7 @@ dojox.xmpp.util.createElement = function(tag, attributes, terminal){
 		elem.append(attributes[attr]);
 		elem.append('" ');
 	}
-	
+
 	if (terminal){
 		elem.append("/>");
 	}else{