From 05dbc03a0b9daf4941a8a732cd234750bb3256a1 Mon Sep 17 00:00:00 2001
From: Zalmoxisus <zalmoxisus@gmail.com>
Date: Sun, 19 Oct 2014 03:47:01 +0400
Subject: [PATCH 1/5] Fixed security issue #182

---
 contact_list.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contact_list.js b/contact_list.js
index fe69e10d0..12b4571e9 100644
--- a/contact_list.js
+++ b/contact_list.js
@@ -185,7 +185,7 @@ var ContactList = (function (my) {
      */
     function createDisplayNameParagraph(displayName) {
         var p = document.createElement('p');
-        p.innerHTML = displayName;
+        p.innerText = displayName;
 
         return p;
     };
@@ -203,7 +203,7 @@ var ContactList = (function (my) {
         var contactName = $('#contactlist #' + resourceJid + '>p');
 
         if (contactName && displayName && displayName.length > 0)
-            contactName.html(displayName);
+            contactName.text(displayName);
     });
 
     my.setClickable = function(resourceJid, isClickable) {

From 96e5117f6a017dbab43cc0aa93b8c47b97a0a824 Mon Sep 17 00:00:00 2001
From: Zalmoxisus <zalmoxisus@gmail.com>
Date: Sun, 19 Oct 2014 03:49:51 +0400
Subject: [PATCH 2/5] Fixes issue #178

---
 videolayout.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/videolayout.js b/videolayout.js
index 63013d5b2..f85c0da25 100644
--- a/videolayout.js
+++ b/videolayout.js
@@ -647,7 +647,7 @@ var VideoLayout = (function (my) {
                     $('#editDisplayName').select();
 
                     var inputDisplayNameHandler = function (name) {
-                        if (nickname !== name) {
+                        if (name && nickname !== name) {
                             nickname = name;
                             window.localStorage.displayname = nickname;
                             connection.emuc.addDisplayNameToPresence(nickname);

From aa6da5f9baf5d64d813f60b71b3e32d26f758d9b Mon Sep 17 00:00:00 2001
From: Zalmoxisus <zalmoxisus@gmail.com>
Date: Sun, 19 Oct 2014 04:16:17 +0400
Subject: [PATCH 3/5] Fixes #177

---
 util.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util.js b/util.js
index 652b5b14c..7025a3af2 100644
--- a/util.js
+++ b/util.js
@@ -44,7 +44,7 @@ var Util = (function (my) {
      * Escapes the given text.
      */
     my.escapeHtml = function (unsafeText) {
-        return $('<div/>').text(unsafeText).html();
+        return $('<div/>').text(unsafeText).text();
     };
 
     /**

From ae7429fb281fe507253fadd683eb064413595d58 Mon Sep 17 00:00:00 2001
From: Zalmoxisus <zalmoxisus@gmail.com>
Date: Sun, 19 Oct 2014 04:29:32 +0400
Subject: [PATCH 4/5] It is still good to escape html tags not only for #177

---
 util.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util.js b/util.js
index 7025a3af2..c54425444 100644
--- a/util.js
+++ b/util.js
@@ -44,7 +44,7 @@ var Util = (function (my) {
      * Escapes the given text.
      */
     my.escapeHtml = function (unsafeText) {
-        return $('<div/>').text(unsafeText).text();
+        return unsafeText.replace(/</g, '&lt;').replace(/>/g, '&gt;');
     };
 
     /**

From c3fbb1fcbc8cabf2b514fd8d8b8541c43a3487ec Mon Sep 17 00:00:00 2001
From: Zalmoxisus <zalmoxisus@gmail.com>
Date: Mon, 20 Oct 2014 16:37:30 +0400
Subject: [PATCH 5/5] According to issue #177 we need only tags to be escaped,
 but not other special characters, not to be escaped twice

---
 util.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/util.js b/util.js
index c54425444..daebfd914 100644
--- a/util.js
+++ b/util.js
@@ -44,6 +44,13 @@ var Util = (function (my) {
      * Escapes the given text.
      */
     my.escapeHtml = function (unsafeText) {
+        return $('<div/>').text(unsafeText).html();
+    };
+    
+    /**
+     * Escapes only tags from the given text.
+     */
+    my.escapeTags = function (unsafeText) {
         return unsafeText.replace(/</g, '&lt;').replace(/>/g, '&gt;');
     };