From f26346a597eb40237cf18ccf4dac388125e84a38 Mon Sep 17 00:00:00 2001
From: Friedrich Weber <f.weber@proxmox.com>
Date: Wed, 15 Jan 2025 14:49:38 +0100
Subject: [PATCH] apt: add missing htmlEncode to qtip

to avoid interpreting html tags in the values.

When setting a tooltip via the `data-qtip` attribute, the contents
needs to be double-encoded. Ext.js internally uses `innerHTML` to
apply the generated HTML, which undoes one layer of encoding in case
of `data-qtip`.

Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
---
 src/node/APTRepositories.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/node/APTRepositories.js b/src/node/APTRepositories.js
index 4e74da2..973fbf1 100644
--- a/src/node/APTRepositories.js
+++ b/src/node/APTRepositories.js
@@ -270,7 +270,7 @@ Ext.define('Proxmox.node.APTRepositoriesGrid', {
 		    let txt = [gettext('Warning')];
 		    record.data.warnings.forEach((warning) => {
 			if (warning.property === 'Suites') {
-			    txt.push(warning.message);
+			    txt.push(Ext.htmlEncode(warning.message));
 			}
 		    });
 		    metaData.tdAttr = `data-qtip="${Ext.htmlEncode(txt.join('<br>'))}"`;
@@ -305,7 +305,7 @@ Ext.define('Proxmox.node.APTRepositoriesGrid', {
 			    ? gettext('The no-subscription repository is NOT production-ready')
 			    : gettext('The test repository may contain unstable updates')
 			    ;
-			    metaData.tdAttr = `data-qtip="${Ext.htmlEncode(qtip)}"`;
+			    metaData.tdAttr = `data-qtip="${Ext.htmlEncode(Ext.htmlEncode(qtip))}"`;
 		    }
 		}
 		return components.join(' ') + err;