2 files changed, 23 insertions, 17 deletions

diff --git a/src/client/Main.hx b/src/client/Main.hx
index bfcc877..3a819b2 100644
--- a/src/client/Main.hx
+++ b/src/client/Main.hx
@@ -283,7 +283,7 @@ class Main {
 				if (isLeader()) player.setTime(player.getTime(), false);
 
 			case ClearChat:
-				ge("#messagebuffer").innerHTML = "";
+				clearChat();
 
 			case ClearPlaylist:
 				player.clearItems();
@@ -313,7 +313,7 @@ class Main {
 				clientName: guestName.value
 			}
 		});
-		ge("#messagebuffer").innerHTML = "";
+		clearChat();
 		serverMessage(1);
 		for (message in connected.history) {
 			addMessage(message.name, message.text, message.time);
@@ -349,7 +349,7 @@ class Main {
 			form.value += ' ${el.title}';
 			form.focus();
 		}
-		smilesWrap.innerHTML = "";
+		smilesWrap.textContent = "";
 		for (emote in config.emotes) {
 			final img = document.createImageElement();
 			img.className = "smile-preview";
@@ -402,16 +402,16 @@ class Main {
 		switch (type) {
 			case 1:
 				div.className = "server-msg-reconnect";
-				div.innerHTML = Lang.get("msgConnected");
+				div.textContent = Lang.get("msgConnected");
 			case 2:
 				div.className = "server-msg-disconnect";
-				div.innerHTML = Lang.get("msgDisconnected");
+				div.textContent = Lang.get("msgDisconnected");
 			case 3:
 				div.className = "server-whisper";
-				div.innerHTML = time + text + " " + Lang.get("entered");
+				div.textContent = time + text + " " + Lang.get("entered");
 			case 4:
 				div.className = "server-whisper";
-				div.innerHTML = time + text;
+				div.textContent = time + text;
 			default:
 		}
 		msgBuf.appendChild(div);
@@ -420,7 +420,7 @@ class Main {
 
 	function updateUserList():Void {
 		final userCount = ge("#usercount");
-		userCount.innerHTML = clients.length + " " + Lang.get("online");
+		userCount.textContent = clients.length + " " + Lang.get("online");
 		document.title = getPageTitle();
 
 		final list = new StringBuf();
@@ -438,6 +438,10 @@ class Main {
 		return '$pageTitle (${clients.length})';
 	}
 
+	function clearChat():Void {
+		ge("#messagebuffer").textContent = "";
+	}
+
 	function addMessage(name:String, text:String, ?time:String):Void {
 		final msgBuf = ge("#messagebuffer");
 		final userDiv = document.createDivElement();
@@ -446,11 +450,11 @@ class Main {
 		final tstamp = document.createSpanElement();
 		tstamp.className = "timestamp";
 		if (time == null) time = "[" + new Date().toTimeString().split(" ")[0] + "] ";
-		tstamp.innerHTML = time;
+		tstamp.textContent = time;
 
 		final nameDiv = document.createElement("strong");
 		nameDiv.className = "username";
-		nameDiv.innerHTML = name + ": ";
+		nameDiv.textContent = name + ": ";
 
 		final textDiv = document.createSpanElement();
 		if (text.startsWith("/")) {
@@ -460,6 +464,7 @@ class Main {
 				text = filter.regex.replace(text, filter.replace);
 			}
 		}
+		text = text.htmlEscape();
 		textDiv.innerHTML = text;
 
 		final isInChatEnd = msgBuf.scrollHeight - msgBuf.scrollTop == msgBuf.clientHeight;
diff --git a/src/client/Player.hx b/src/client/Player.hx
index c9b10a4..bee9a3c 100644
--- a/src/client/Player.hx
+++ b/src/client/Player.hx
@@ -5,6 +5,7 @@ import js.html.VideoElement;
 import js.Browser.document;
 import client.Main.ge;
 import Types.VideoItem;
+using StringTools;
 using Lambda;
 
 class Player {
@@ -63,16 +64,16 @@ class Player {
 				}
 			});
 		}
-		player.innerHTML = "";
+		player.textContent = "";
 		player.appendChild(video);
-		ge("#currenttitle").innerHTML = item.title;
+		ge("#currenttitle").textContent = item.title;
 	}
 
 	public function addVideoItem(item:VideoItem, atEnd:Bool):Void {
 		items.push(item);
 		final itemEl = nodeFromString(
 			'<li class="queue_entry pluid-0 queue_temp queue_active" title="${Lang.get("addedBy")}: ${item.author}">
-				<a class="qe_title" href="${item.url}" target="_blank">${item.title}</a>
+				<a class="qe_title" href="${item.url}" target="_blank">${item.title.htmlEscape()}</a>
 				<span class="qe_time">${duration(item.duration)}</span>
 				<div class="qe_clear"></div>
 				<div class="btn-group" style="display: inline-block;">
@@ -109,7 +110,7 @@ class Player {
 		if (video == null) return;
 		player.removeChild(video);
 		video = null;
-		ge("#currenttitle").innerHTML = Lang.get("nothingPlaying");
+		ge("#currenttitle").textContent = Lang.get("nothingPlaying");
 	}
 
 	public function removeItem(url:String):Void {
@@ -132,8 +133,8 @@ class Player {
 	}
 
 	function updateCounters():Void {
-		ge("#plcount").innerHTML = '${items.length} ${Lang.get("videos")}';
-		ge("#pllength").innerHTML = totalDuration();
+		ge("#plcount").textContent = '${items.length} ${Lang.get("videos")}';
+		ge("#pllength").textContent = totalDuration();
 	}
 
 	public function getItems():Array<VideoItem> {
@@ -153,7 +154,7 @@ class Player {
 
 	public function clearItems():Void {
 		items.resize(0);
-		videoItemsEl.innerHTML = "";
+		videoItemsEl.textContent = "";
 		updateCounters();
 	}