Escape name in html for iframe in share modal

CompuIves · CompuIves · commit e2b503ff179c · 2019-07-22T18:17:35.000+02:00
diff --git a/packages/app/src/app/pages/common/Modals/ShareModal/getCode.js b/packages/app/src/app/pages/common/Modals/ShareModal/getCode.js
@@ -6,10 +6,9 @@ import {
   sandboxUrl,
   embedUrl,
 } from '@codesandbox/common/lib/utils/url-generator';
+import { escapeHtml } from 'app/utils/escape';
 
-export const BUTTON_URL = `${
-  process.env.CODESANDBOX_HOST
-}/static/img/play-codesandbox.svg`;
+export const BUTTON_URL = `${process.env.CODESANDBOX_HOST}/static/img/play-codesandbox.svg`;
 
 export const VIEW_OPTIONS = ['Editor + Preview', 'Preview', 'Editor'];
 
@@ -65,12 +64,8 @@ export const getEmbedUrl = (sandbox, mainModule, state) =>
   getOptionsUrl(sandbox, mainModule, state);
 
 export const getIframeScript = (sandbox, mainModule, state) =>
-  `<iframe src="${getEmbedUrl(
-    sandbox,
-    mainModule,
-    state
-  )}" title="${getSandboxName(
-    sandbox
+  `<iframe src="${getEmbedUrl(sandbox, mainModule, state)}" title="${escapeHtml(
+    getSandboxName(sandbox)
   )}" allow="geolocation; microphone; camera; midi; vr; accelerometer; gyroscope; payment; ambient-light-sensor; encrypted-media" style="width:100%; height:500px; border:0; border-radius: 4px; overflow:hidden;" sandbox="allow-modals allow-forms allow-popups allow-scripts allow-same-origin"></iframe>`;
 
 // eslint-disable-next-line
