[WebUI] Fix encoding HTML entities for torrent attributes

Ensure all torrent attributes that might contain malicious HTML entities
are encoded.

By allowing HTML entities to be rendered it enable malicious torrent
files to perform XSS attacks.

Resolves: https://dev.deluge-torrent.org/ticket/3459

deluge/ui/web/js/deluge-all/EditTrackersWindow.js

@@ -57,6 +57,7 @@ Deluge.EditTrackersWindow = Ext.extend(Ext.Window, {
                     header: _('Tracker'),
                     width: 0.9,
                     dataIndex: 'url',
+                    tpl: new Ext.XTemplate('{url:htmlEncode}'),
                 },
             ],
             columnSort: {

deluge/ui/web/js/deluge-all/FilterPanel.js

@@ -171,5 +171,5 @@ Deluge.FilterPanel.templates = {
     tracker_host:
         '<div class="x-deluge-filter" style="background-image: url(' +
         deluge.config.base +
-        'tracker/{filter});">{filter} ({count})</div>',
+        'tracker/{filter});">{filter:htmlEncode} ({count})</div>',
 };

deluge/ui/web/js/deluge-all/TorrentGrid.js

@@ -17,7 +17,7 @@
         return String.format(
             '<div class="torrent-name x-deluge-{0}">{1}</div>',
             r.data['state'].toLowerCase(),
-            value
+            Ext.util.Format.htmlEncode(value)
         );
     }
     function torrentSpeedRenderer(value) {
@@ -62,7 +62,7 @@
             '<div style="background: url(' +
                 deluge.config.base +
                 'tracker/{0}) no-repeat; padding-left: 20px;">{0}</div>',
-            value
+            Ext.util.Format.htmlEncode(value)
         );
     }
 

deluge/ui/web/js/deluge-all/add/AddWindow.js

@@ -93,6 +93,9 @@ Deluge.add.AddWindow = Ext.extend(Deluge.add.Window, {
                     sortable: true,
                     renderer: torrentRenderer,
                     dataIndex: 'text',
+                    tpl: new Ext.XTemplate(
+                        '<div class="x-deluge-add-torrent-name">{text:htmlEncode}</div>'
+                    ),
                 },
             ],
             stripeRows: true,

deluge/ui/web/js/deluge-all/add/FilesTab.js

@@ -28,6 +28,7 @@ Deluge.add.FilesTab = Ext.extend(Ext.ux.tree.TreeGrid, {
             header: _('Filename'),
             width: 295,
             dataIndex: 'filename',
+            tpl: new Ext.XTemplate('{filename:htmlEncode}'),
         },
         {
             header: _('Size'),

deluge/ui/web/js/deluge-all/details/DetailsTab.js

@@ -91,7 +91,9 @@ Deluge.details.DetailsTab = Ext.extend(Ext.Panel, {
         for (var field in this.fields) {
             if (!Ext.isDefined(data[field])) continue; // This is a field we are not responsible for.
             if (data[field] == this.oldData[field]) continue;
-            this.fields[field].dom.innerHTML = Ext.escapeHTML(data[field]);
+            this.fields[field].dom.innerHTML = Ext.util.Format.htmlEncode(
+                data[field]
+            );
         }
         this.oldData = data;
     },

deluge/ui/web/js/deluge-all/details/FilesTab.js

@@ -18,6 +18,7 @@ Deluge.details.FilesTab = Ext.extend(Ext.ux.tree.TreeGrid, {
             header: _('Filename'),
             width: 330,
             dataIndex: 'filename',
+            tpl: new Ext.XTemplate('{filename:htmlEncode}'),
         },
         {
             header: _('Size'),

deluge/ui/web/js/deluge-all/details/PeersTab.js

@@ -73,7 +73,7 @@
                             header: _('Client'),
                             width: 125,
                             sortable: true,
-                            renderer: fplain,
+                            renderer: 'htmlEncode',
                             dataIndex: 'client',
                         },
                         {