From bb4eb1ed9a77547c0faee653c472d8fcd475e059 Mon Sep 17 00:00:00 2001
From: Mike Fix <mrfix84@gmail.com>
Date: Sat, 3 Feb 2018 16:54:58 -0800
Subject: [PATCH] XSS localStorage

---
 lib/util.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/util.js b/lib/util.js
index ee317b4..1a6da9b 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -9,9 +9,15 @@ const parse = v => {
   } catch (e) {}
 }
 
+const escapeHtml = s =>
+  s
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/\//g, '&#x2F;')
+
 export const parseRGBA = obj => `rgba(${obj.r},${obj.g},${obj.b},${obj.a})`
 
-export const getState = morph.compose(parse, morph.get(KEY))
+export const getState = morph.compose(parse, escapeHtml, morph.get(KEY))
 export const saveState = (window, v) => assign(window, JSON.stringify(v))
 
 export const capitalizeFirstLetter = s => s.charAt(0).toUpperCase() + s.slice(1)