From 26f2ae5ad014b1e41031bdb50d62d9dd9c6a718f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorsten=20Wi=C3=9Fmann?= <edu@thorsten-wissmann.de>
Date: Fri, 11 Dec 2015 17:04:50 +0100
Subject: [PATCH] Do proper javascript escaping in password_fill

---
 misc/userscripts/password_fill | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/misc/userscripts/password_fill b/misc/userscripts/password_fill
index 7d0ad3b9b..bc12e228b 100755
--- a/misc/userscripts/password_fill
+++ b/misc/userscripts/password_fill
@@ -60,6 +60,12 @@ die() {
     exit 0
 }
 
+javascript_escape() {
+    # print the first argument in a escaped way, such that it can savely
+    # be used within javascripts double quotes
+    sed "s,[\\\'\"],\\\&,g" <<< "$1"
+}
+
 # ======================================================= #
 # CONFIGURATION
 # ======================================================= #
@@ -313,10 +319,10 @@ cat <<EOF
         for (var j = 0; j < inputs.length; j++) {
             var input = inputs[j];
             if (input.type == "text" || input.type == "email") {
-                input.value = "$username";
+                input.value = "$(javascript_escape "${username}")";
             }
             if (input.type == "password") {
-                input.value = "${password//\"/\\\"}";
+                input.value = "$(javascript_escape "${password}")";
             }
         }
     };