From c295bd25e130fb80dae9e5935022b6d25857e752 Mon Sep 17 00:00:00 2001
From: Mafoo <mafoo@users.noreply.github.com>
Date: Tue, 30 May 2017 20:44:51 +0100
Subject: [PATCH] BugFix [master] - messages class escape more text
 automatically (#2612)

because we are using javascript to populate the messages list we need to
make sure all special chars are escaped or line feeds will cause
problems
---
 resources/classes/messages.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/classes/messages.php b/resources/classes/messages.php
index f1c35e8418..e19f7066bd 100644
--- a/resources/classes/messages.php
+++ b/resources/classes/messages.php
@@ -39,7 +39,7 @@ if (!class_exists('messages')) {
 				$message_mood = $_SESSION['message_mood'] ?: 'default';
 				$message_delay = $_SESSION['message_delay'];
 
-				$html .= "display_message('".$message_text."', '".$message_mood."'";
+				$html .= "display_message('".str_replace(array("\r\n", "\n", "\r"),'\\n', htmlspecialchars($message_text))."', '".$message_mood."'";
 				if ($message_delay != '') {
 					$html .= ", '".$message_delay."'";
 				}
@@ -51,7 +51,7 @@ if (!class_exists('messages')) {
 					$message_mood = $message['mood'] ?: 'default';
 					$message_delay = $message['delay'];
 
-					$html .= "display_message('".$message_text."', '".$message_mood."'";
+					$html .= "display_message('".str_replace(array("\r\n", "\n", "\r"),'\\n', htmlspecialchars($message_text))."', '".$message_mood."'";
 					if ($message_delay != '') {
 						$html .= ", '".$message_delay."'";
 					}