From 7e47ac8fc74e46e0306e45cd7beb3f04eaf439d6 Mon Sep 17 00:00:00 2001
From: "Cathy J. Fitzpatrick" <cathy@cathyjf.com>
Date: Sat, 8 Jun 2013 04:24:29 -0600
Subject: [PATCH] Fix XSS in Skill Swap code

---
 js/battle.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/js/battle.js b/js/battle.js
index a6b4c982c..77d395854 100644
--- a/js/battle.js
+++ b/js/battle.js
@@ -4038,10 +4038,10 @@ function Battle(frame, logFrame, noPreload) {
 				case 'skillswap':
 					actions += "" + poke.getName() + " swapped Abilities with its target!";
 					if (ofpoke && poke.side !== ofpoke.side) {
-						self.resultAnim(poke, args[3], 'neutral', 1);
-						self.resultAnim(ofpoke, args[4], 'neutral', 4);
-						actions += "<br />" + poke.getName() + " acquired " + args[3] + "!";
-						actions += "<br />" + ofpoke.getName() + " acquired " + args[4] + "!";
+						self.resultAnim(poke, Tools.escapeHTML(args[3]), 'neutral', 1);
+						self.resultAnim(ofpoke, Tools.escapeHTML(args[4]), 'neutral', 4);
+						actions += "<br />" + poke.getName() + " acquired " + Tools.escapeHTML(args[3]) + "!";
+						actions += "<br />" + ofpoke.getName() + " acquired " + Tools.escapeHTML(args[4]) + "!";
 					}
 					break;
 				case 'charge':