Fixes an exploit in notes (#17444)

code/modules/admin/sql_notes.dm

@@ -55,12 +55,14 @@
 	// Force cast this to 1/0 incase someone tries to feed bad data
 	automated = !!automated
 
+	var/safe_text = html_encode(notetext)
+
 	var/datum/db_query/query_noteadd = SSdbcore.NewQuery({"
 		INSERT INTO notes (ckey, timestamp, notetext, adminckey, server, crew_playtime, round_id, automated)
 		VALUES (:targetckey, NOW(), :notetext, :adminkey, :server, :crewnum, :roundid, :automated)
 	"}, list(
 		"targetckey" = target_ckey,
-		"notetext" = notetext,
+		"notetext" = safe_text,
 		"adminkey" = adminckey,
 		"server" = GLOB.configuration.system.instance_id,
 		"crewnum" = crew_number,
@@ -72,8 +74,8 @@
 		return
 	qdel(query_noteadd)
 	if(logged)
-		log_admin("[usr ? key_name(usr) : adminckey] has added a note to [target_ckey]: [notetext]")
-		message_admins("[usr ? key_name_admin(usr) : adminckey] has added a note to [target_ckey]:<br>[notetext]")
+		log_admin("[usr ? key_name(usr) : adminckey] has added a note to [target_ckey]: [safe_text]")
+		message_admins("[usr ? key_name_admin(usr) : adminckey] has added a note to [target_ckey]:<br>[safe_text]")
 		if(show_after)
 			show_note(target_ckey)
 
@@ -110,8 +112,10 @@
 		return
 	qdel(query_del_note)
 
-	log_admin("[usr ? key_name(usr) : "Bot"] has removed a note made by [adminckey] from [ckey]: [notetext]")
-	message_admins("[usr ? key_name_admin(usr) : "Bot"] has removed a note made by [adminckey] from [ckey]:<br>[notetext]")
+	var/safe_text = html_encode(notetext)
+
+	log_admin("[usr ? key_name(usr) : "Bot"] has removed a note made by [adminckey] from [ckey]: [safe_text]")
+	message_admins("[usr ? key_name_admin(usr) : "Bot"] has removed a note made by [adminckey] from [ckey]:<br>[safe_text]")
 	show_note(ckey)
 
 /proc/edit_note(note_id)
@@ -142,9 +146,12 @@
 		var/new_note = input("Input new note", "New Note", "[old_note]") as message|null
 		if(!new_note)
 			return
-		var/edit_text = "Edited by [usr.ckey] on [SQLtime()] from \"[old_note]\" to \"[new_note]\"<hr>"
+
+		var/safe_text = html_encode(new_note)
+
+		var/edit_text = "Edited by [usr.ckey] on [SQLtime()] from \"[old_note]\" to \"[safe_text]\"<hr>"
 		var/datum/db_query/query_update_note = SSdbcore.NewQuery("UPDATE notes SET notetext=:new_note, last_editor=:akey, edits = CONCAT(IFNULL(edits,''),:edit_text) WHERE id=:note_id", list(
-			"new_note" = new_note,
+			"new_note" = safe_text,
 			"akey" = usr.ckey,
 			"edit_text" = edit_text,
 			"note_id" = note_id
@@ -152,8 +159,8 @@
 		if(!query_update_note.warn_execute())
 			qdel(query_update_note)
 			return
-		log_admin("[usr ? key_name(usr) : "Bot"] has edited [target_ckey]'s note made by [adminckey] from \"[old_note]\" to \"[new_note]\"")
-		message_admins("[usr ? key_name_admin(usr) : "Bot"] has edited [target_ckey]'s note made by [adminckey] from \"[old_note]\" to \"[new_note]\"")
+		log_admin("[usr ? key_name(usr) : "Bot"] has edited [target_ckey]'s note made by [adminckey] from \"[old_note]\" to \"[safe_text]\"")
+		message_admins("[usr ? key_name_admin(usr) : "Bot"] has edited [target_ckey]'s note made by [adminckey] from \"[old_note]\" to \"[safe_text]\"")
 		show_note(target_ckey)
 		qdel(query_update_note)
 
@@ -207,7 +214,7 @@
 				output += " <a href='?_src_=holder;removenote=[id]'>\[Remove Note\]</a> [automated ? "\[Automated Note\]" : "<a href='?_src_=holder;editnote=[id]'>\[Edit Note\]</a>"]"
 				if(last_editor)
 					output += " <font size='2'>Last edit by [last_editor] <a href='?_src_=holder;noteedits=[id]'>(Click here to see edit log)</a></font>"
-			output += "<br>[notetext]<hr style='background:#000000; border:0; height:1px'>"
+			output += "<br>[replacetext(notetext, "\n", "<br>")]<hr style='background:#000000; border:0; height:1px'>"
 		qdel(query_get_notes)
 	else if(index)
 		var/index_ckey