From dbbbb2e5ed937ea686f4d1e9c391a3ab2411cafb Mon Sep 17 00:00:00 2001
From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Date: Wed, 28 Aug 2019 10:46:28 +0530
Subject: [PATCH] Fix query tool launch error if user name contain html
 characters. Fixes #4674

---
 docs/en_US/release_notes_4_13.rst                            | 3 ++-
 web/pgadmin/tools/datagrid/static/js/datagrid.js             | 2 +-
 web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js | 2 +-
 web/pgadmin/tools/sqleditor/static/js/sqleditor.js           | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/docs/en_US/release_notes_4_13.rst b/docs/en_US/release_notes_4_13.rst
index 45ceaf5e8..112d182fb 100644
--- a/docs/en_US/release_notes_4_13.rst
+++ b/docs/en_US/release_notes_4_13.rst
@@ -29,4 +29,5 @@ Bug fixes
 | `Issue #4643 <https://redmine.postgresql.org/issues/4643>`_ -  Fix Truncate option deselect issue for compound triggers.
 | `Issue #4644 <https://redmine.postgresql.org/issues/4644>`_ -  Fix length and precision enable/disable issue when changing the data type for Domain node.
 | `Issue #4650 <https://redmine.postgresql.org/issues/4650>`_ -  Fix SQL tab issue for Views. It's a regression of compound triggers.
-| `Issue #4657 <https://redmine.postgresql.org/issues/4657>`_ -  Fix PGADMIN_SERVER_JSON_FILE environment variable support in the container.
\ No newline at end of file
+| `Issue #4657 <https://redmine.postgresql.org/issues/4657>`_ -  Fix PGADMIN_SERVER_JSON_FILE environment variable support in the container.
+| `Issue #4674 <https://redmine.postgresql.org/issues/4674>`_ -  Fix query tool launch error if user name contain html characters.
\ No newline at end of file
diff --git a/web/pgadmin/tools/datagrid/static/js/datagrid.js b/web/pgadmin/tools/datagrid/static/js/datagrid.js
index f12ab7a79..7610d9554 100644
--- a/web/pgadmin/tools/datagrid/static/js/datagrid.js
+++ b/web/pgadmin/tools/datagrid/static/js/datagrid.js
@@ -227,7 +227,7 @@ define('pgadmin.datagrid', [
         queryToolForm +=`
           </form>
             <script>
-              document.getElementById("title").value = "${panel_title}";
+              document.getElementById("title").value = "${_.escape(panel_title)}";
               document.getElementById("queryToolForm").submit();
             </script>
           `;
diff --git a/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js b/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
index 8c9b999c4..0672cdd56 100644
--- a/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
+++ b/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
@@ -52,6 +52,6 @@ export function setQueryToolDockerTitle(panel, is_query_tool, panel_title, is_fi
     panel_icon = 'fa fa-bolt';
   }
 
-  panel.title('<span title="'+ panel_tooltip +'">'+ panel_title +'</span>');
+  panel.title('<span title="'+ _.escape(panel_tooltip) +'">'+ _.escape(panel_title) +'</span>');
   panel.icon(panel_icon);
 }
diff --git a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
index 7e368ffba..82ceb3f5b 100644
--- a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
@@ -3436,7 +3436,7 @@ define('tools.querytool', [
               // Find the title of the visible panel
               _.each(window.top.pgAdmin.Browser.docker.findPanels('frm_datagrid'), function(p) {
                 if (p.isVisible()) {
-                  self.gridView.panel_title = $(p._title).html();
+                  self.gridView.panel_title = $(p._title).text();
                 }
               });