From 2590528d633015a36866e8571ee86fd3ea0d5434 Mon Sep 17 00:00:00 2001
From: Hannes Mannerheim <h@nnesmannerhe.im>
Date: Sun, 7 Feb 2016 02:23:38 +0100
Subject: [PATCH] xss fix, thx @chc4@quitter.se

---
 js/misc-functions.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/js/misc-functions.js b/js/misc-functions.js
index b15a170..256da91 100644
--- a/js/misc-functions.js
+++ b/js/misc-functions.js
@@ -1882,7 +1882,8 @@ function loadHistoryFromLocalStorage() {
 			$('#history-container').css('display','block');
 			$('#history-container').html('');
 			$.each(cacheData, function(key,obj) {
-				$('#history-container').append('<a class="stream-selection" href="' + obj.dataStreamHref + '">' + obj.dataStreamHeader + '<i class="chev-right" data-tooltip="' + window.sL.tooltipBookmarkStream + '"></i></a>');
+				var streamHeader = replaceHtmlSpecialChars(obj.dataStreamHeader); // because we're pulling the header with jQuery.text() before saving in localstorage, which unescapes our escaped html
+				$('#history-container').append('<a class="stream-selection" href="' + obj.dataStreamHref + '">' + streamHeader + '<i class="chev-right" data-tooltip="' + window.sL.tooltipBookmarkStream + '"></i></a>');
 				});
 			}
 		updateHistoryLocalStorage();