Form editor fixes

[MAILPOET-1892]

lib/Form/Block/Base.php

@@ -76,7 +76,7 @@ abstract class Base {
     if (isset($block['params']['label'])
       && strlen(trim($block['params']['label'])) > 0) {
       $html .= '<label class="mailpoet_'.$block['type'].'_label">';
-      $html .= $block['params']['label'];
+      $html .= htmlspecialchars($block['params']['label']);
 
       if (isset($block['params']['required']) && $block['params']['required']) {
         $html .= ' <span class="mailpoet_required">*</span>';

views/form/editor.html

@@ -216,6 +216,9 @@
   )%>
 
   <script type="text/javascript">
+    function encodeHtmlValue(str) {
+      return str.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
+    }
     var mailpoet_segments = <%= json_encode(segments) %>;
 
     var mailpoet_default_fields = [
@@ -658,7 +661,7 @@
 
               mailpoet_form_fields();
               MailPoet.Notice.success(
-                "<%= __('Removed custom field %$1s') | escape('js') %>".replace('%$1s', '"' + name + '"')
+                "<%= __('Removed custom field %$1s') | escape('js') %>".replace('%$1s', '"' + encodeHtmlValue(name) + '"')
               );
 
               MailPoet.trackEvent('Forms > Delete custom field', {

views/form/templates/settings/field_form.hbs

@@ -96,11 +96,11 @@
 
           if(data.id) {
             MailPoet.Notice.success(
-              "<%= __('Updated custom field %$1s') | escape('js') %>".replace('%$1s', '"' + data.name + '"')
+              "<%= __('Updated custom field %$1s') | escape('js') %>".replace('%$1s', '"' + encodeHtmlValue(data.name) + '"')
             );
           } else {
             MailPoet.Notice.success(
-              "<%= __('Added custom field %$1s') | escape('js') %>".replace('%$1s', '"' + data.name + '"')
+              "<%= __('Added custom field %$1s') | escape('js') %>".replace('%$1s', '"' + encodeHtmlValue(data.name) + '"')
             );
           }
         }).fail(function(response) {