From e5091ce2e8d3551ac873cc60b57383967edf7c0b Mon Sep 17 00:00:00 2001
From: th0r <grunin.ya@ya.ru>
Date: Thu, 11 Apr 2019 13:47:04 +0300
Subject: [PATCH 1/2] Properly escape embedded JS/JSON

---
 src/viewer.js    | 17 ++++++++++++++---
 views/script.ejs |  2 +-
 views/viewer.ejs |  6 +++---
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/viewer.js b/src/viewer.js
index d9bf0e2b..ae4ab261 100644
--- a/src/viewer.js
+++ b/src/viewer.js
@@ -53,7 +53,9 @@ async function startServer(bundleStats, opts) {
       mode: 'server',
       get chartData() { return JSON.stringify(chartData) },
       defaultSizes: JSON.stringify(defaultSizes),
-      enableWebSocket: true
+      enableWebSocket: true,
+      // Helpers
+      escapeScript
     });
   });
 
@@ -131,9 +133,11 @@ async function generateReport(bundleStats, opts) {
       {
         mode: 'static',
         chartData: JSON.stringify(chartData),
-        assetContent: getAssetContent,
         defaultSizes: JSON.stringify(defaultSizes),
-        enableWebSocket: false
+        enableWebSocket: false,
+        // Helpers
+        assetContent: getAssetContent,
+        escapeScript
       },
       (err, reportHtml) => {
         try {
@@ -168,6 +172,13 @@ function getAssetContent(filename) {
   return fs.readFileSync(`${projectRoot}/public/${filename}`, 'utf8');
 }
 
+/**
+ * Escapes `<` characters in the string to safely use it in `<script>` tag.
+ */
+function escapeScript(value) {
+  return String(value).replace(/</gu, '\\u003c');
+}
+
 function getChartData(analyzerOpts, ...args) {
   let chartData;
   const {logger} = analyzerOpts;
diff --git a/views/script.ejs b/views/script.ejs
index 0ff911b9..718c954f 100644
--- a/views/script.ejs
+++ b/views/script.ejs
@@ -1,7 +1,7 @@
 <% if (mode === 'static') { %>
   <!-- <%= filename %> -->
   <script>
-    <%- assetContent(filename) %>
+    <%- escapeScript(assetContent(filename)) %>
   </script>
 <% } else { %>
   <script src="/<%= filename %>"></script>
diff --git a/views/viewer.ejs b/views/viewer.ejs
index 38209cae..daec0e13 100644
--- a/views/viewer.ejs
+++ b/views/viewer.ejs
@@ -11,9 +11,9 @@
   <body>
     <div id="app"></div>
     <script>
-      window.chartData = <%- chartData %>;
-      window.defaultSizes = <%- defaultSizes %>;
-      window.enableWebSocket = <%- enableWebSocket %>;
+      window.chartData = <%- escapeScript(chartData) %>;
+      window.defaultSizes = <%- escapeScript(defaultSizes) %>;
+      window.enableWebSocket = <%- escapeScript(enableWebSocket) %>;
     </script>
   </body>
 </html>

From 538593615263de8970b0abe7cdcdff06dedf9f63 Mon Sep 17 00:00:00 2001
From: th0r <grunin.ya@ya.ru>
Date: Thu, 11 Apr 2019 13:51:28 +0300
Subject: [PATCH 2/2] Add changelog entry

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 95153115..a818689b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,9 @@ _Note: Gaps between patch versions are faulty, broken or test releases._
 
 <!-- Add changelog entries for new changes under this section -->
 
+ * **Improvements**
+   * Properly escape embedded JS/JSON ([#262](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/262))
+
  * **Bug Fix**
    * Fix showing help message on `-h` flag ([#260](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/260), fixes [#239](https://github.com/webpack-contrib/webpack-bundle-analyzer/issues/239))