From 175a6c2a243ff7462a0059d0b96bb6fd0d41d798 Mon Sep 17 00:00:00 2001
From: nightwing <amirjanyan@gmail.com>
Date: Thu, 7 Sep 2017 15:23:27 +0400
Subject: [PATCH] fix xss in debugnode

---
 plugins/c9.ide.immediate/evaluators/debugnode.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/plugins/c9.ide.immediate/evaluators/debugnode.js b/plugins/c9.ide.immediate/evaluators/debugnode.js
index fd3a5d3f..778f63ac 100644
--- a/plugins/c9.ide.immediate/evaluators/debugnode.js
+++ b/plugins/c9.ide.immediate/evaluators/debugnode.js
@@ -1,18 +1,19 @@
 define(function(require, exports, module) {
     main.consumes = [
-        "immediate", "settings", "debugger", "Evaluator", "callstack", "ui"
+        "immediate", "debugger", "Evaluator", "callstack", "ui"
     ];
     main.provides = ["immediate.debugnode"];
     return main;
 
     function main(options, imports, register) {
         var Evaluator = imports.Evaluator;
-        var settings = imports.settings;
         var debug = imports.debugger;
         var immediate = imports.immediate;
         var callstack = imports.callstack;
         var ui = imports.ui;
         
+        var escapeHTML = require("ace/lib/lang").escapeHTML;
+        
         /***** Initialization *****/
         
         var plugin = new Evaluator("Ajax.org", main.consumes, {
@@ -450,7 +451,7 @@ define(function(require, exports, module) {
                     else {
                         // A value of unknown type which does not have any properties - assume it is a language-specific
                         // primitive type.
-                        insert(html, value, name);
+                        insert(html, escapeHTML(value), name);
                     }
                 }
             }