fix escaping in opengraph descriptions - #632

app/templating/StringHelper.scala

@@ -32,7 +32,8 @@ trait StringHelper { self: NumberHelper =>
   // the replace quot; -> " is required
   // to avoid issues caused by addLinks
   // when an url is surrounded by quotes
-  def escape(text: String) = escapeHtml4(text).replace(""", "\"")
+  def escape(text: String) = escapeEvenDoubleQuotes(text).replace(""", "\"")
+  def escapeEvenDoubleQuotes(text: String) = escapeHtml4(text)
 
   def nl2br(text: String) = text.replace("\r\n", "<br />").replace("\n", "<br />")
 

app/ui/OpenGraph.scala

@@ -2,6 +2,7 @@ package lila.app
 package ui
 
 import play.twirl.api.Html
+import org.apache.commons.lang3.StringEscapeUtils.escapeHtml4
 
 case class OpenGraph(
     title: String,
@@ -15,7 +16,7 @@ case class OpenGraph(
   def html = Html(toString)
 
   private def tag(name: String, value: String) =
-    s"""<meta property="og:$name" content="$value" />"""
+    s"""<meta property="og:$name" content="${escapeHtml4(value)}" />"""
 
   private val tupledTag = (tag _).tupled
 

app/views/base/layout.scala.html

@@ -27,7 +27,7 @@ withLangAnnotations: Boolean = true)(body: Html)(implicit ctx: Context)
     @cssTag("board.css")
     @moreCss
     <link id="piece-sprite" href="@staticUrl(s"stylesheets/piece/${ctx.currentPieceSet}.css?v=$assetVersion")" type="text/css" rel="stylesheet"/>
-    <meta content="@openGraph.fold(trans.freeOnlineChessGamePlayChessNowInACleanInterfaceNoRegistrationNoAdsNoPluginRequiredPlayChessWithComputerFriendsOrRandomOpponents())(o => Html(o.description))" name="description">
+    <meta content="@openGraph.fold(trans.freeOnlineChessGamePlayChessNowInACleanInterfaceNoRegistrationNoAdsNoPluginRequiredPlayChessWithComputerFriendsOrRandomOpponents())(o => Html(escapeEvenDoubleQuotes(o.description)))" name="description">
     <link rel="shortcut icon" href="@staticUrl("images/favicon-32-white.png")" type="image/x-icon" />
     @if(!robots) {
     <meta content="noindex, nofollow" name="robots">