Sanitize item names to prevent possible future XSS attacks

[dukio]

If hypixel will ever allow players to rename one of their items with a custom name we are at risk of XSS attacks (tested). We need to sanitize item.display_name and item.display_name_print

My 2 minute google search found this on stack overflow, but it's probably better to use something more advanced. Keep in mind item.display_name_print will contain HTML tags that must not be sanitized.

if (/[<>&]/.test(item.display_name)) {
    const tagsToReplace = {
        '&': '&amp;',
        '<': '&lt;',
        '>': '&gt;'
    }

    item.display_name = item.display_name.replace(
        /[&<>]/g,
        tag => tagsToReplace[tag] || tag
    )
}

[github-actions[bot]]

Thank you for bringing this issue to our attention. Expect a developer to comment within the first 2-3 days of issue submission

[nstringham]

we could also probably use <%= %>

[dukio]

we could also probably use <%= %>

I just had to change some of those to print the HTML for master stars. Also the issue seems to be mainly when we output the calculated and items in json to be parsed by js (I didn't dig too far into this since it wasn't a real issue for the moment).

[nstringham]

I doubt that Hypixel will ever allow custom item names because there would be a lot of work required to keep the names of people's items free from abusive content

[DuckySoLucky]

@metalcupcake5 what Nate said ^^