From a53cc52752d642ae1e09fdb2bf76f9454369be96 Mon Sep 17 00:00:00 2001
From: Ben Thomson <git@alfreido.com>
Date: Tue, 17 Dec 2019 22:43:44 +0800
Subject: [PATCH] Correctly display HTML entities in event log (#4566)

This changes the event log to use a partial for the log message which double-encodes the data. When using formatted view in the log viewer widget, the HTML entites are allowed by decoding back a step. When in raw view, the HTML entities are kept double-encoded.

Fixes #4558.
---
 .../system/assets/js/eventlogs/exception-beautifier.js   | 9 ++++++---
 modules/system/controllers/eventlogs/_field_message.htm  | 1 +
 modules/system/models/eventlog/fields.yaml               | 3 ++-
 3 files changed, 9 insertions(+), 4 deletions(-)
 create mode 100644 modules/system/controllers/eventlogs/_field_message.htm

diff --git a/modules/system/assets/js/eventlogs/exception-beautifier.js b/modules/system/assets/js/eventlogs/exception-beautifier.js
index 66b85ed4d..f8d876db7 100644
--- a/modules/system/assets/js/eventlogs/exception-beautifier.js
+++ b/modules/system/assets/js/eventlogs/exception-beautifier.js
@@ -40,7 +40,7 @@
             }
         })
 
-        markup = self.parseSource(self.$el.text())
+        markup = self.parseSource(self.$el.html())
 
         self.$el
             .addClass('plugin-exception-beautifier')
@@ -274,7 +274,10 @@
             }
         }
         else {
-            markup += $.oc.escapeHtmlString(str)
+            // Allow HTML entities
+            str = str.replace(/&amp;([^\s&;]+?);/g, '&$1;')
+
+            markup += str
                 .replace(/\{x-newline\}/g, '<br>')
                 .replace(/\{x-tabulation\}/g, '&nbsp;&nbsp;')
         }
@@ -353,7 +356,7 @@
             tabs.find('#beautifier-tab-formatted').append(markup)
         }
 
-        tabs.find('#beautifier-tab-raw').append('<div class="beautifier-raw-content">' + $.oc.escapeHtmlString(source.trim()).replace(/\r\n|\r|\n/g, '<br>').replace(/ {2}/g, '&nbsp;&nbsp;') + '</div>')
+        tabs.find('#beautifier-tab-raw').append('<div class="beautifier-raw-content">' + source.trim().replace(/\r\n|\r|\n/g, '<br>').replace(/ {2}/g, '&nbsp;&nbsp;') + '</div>')
 
         tabs.ocTab({
             closable: false
diff --git a/modules/system/controllers/eventlogs/_field_message.htm b/modules/system/controllers/eventlogs/_field_message.htm
new file mode 100644
index 000000000..0176604b6
--- /dev/null
+++ b/modules/system/controllers/eventlogs/_field_message.htm
@@ -0,0 +1 @@
+<?= e($value, true); ?>
diff --git a/modules/system/models/eventlog/fields.yaml b/modules/system/models/eventlog/fields.yaml
index 44ac077bc..1a9c11ee9 100644
--- a/modules/system/models/eventlog/fields.yaml
+++ b/modules/system/models/eventlog/fields.yaml
@@ -5,6 +5,7 @@
 fields:
 
     message:
-        type: textarea
+        type: partial
+        path: field_message
         containerAttributes:
             data-plugin: exception-beautifier