SONAR-7214 fix XSS injection on name of new users

author Stas Vilchik <vilchiks@gmail.com>

Tue, 19 Jan 2016 14:03:31 +0000 (15:03 +0100)

committer Stas Vilchik <vilchiks@gmail.com>

Tue, 19 Jan 2016 14:03:38 +0000 (15:03 +0100)
author Stas Vilchik <vilchiks@gmail.com>
Tue, 19 Jan 2016 14:03:31 +0000 (15:03 +0100)
committer Stas Vilchik <vilchiks@gmail.com>
Tue, 19 Jan 2016 14:03:38 +0000 (15:03 +0100)
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb

index 950d46ca853edee89c8874b376bc3d00ab513825..c82b0012620c516de02136230a8c3e24a1695937 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
@@ -26,9 +26,9 @@
      <%# The two lines below mean that before full removal of Rails, we have to find a way to handle config properties %>
      window.SS = {
        hoursInDay: <%= configuration('sonar.technicalDebt.hoursInDay', 8) %>,
-      user: '<%= current_user.login if current_user -%>',
-      userName: '<%= current_user.name if current_user -%>',
-      userEmail: '<%= current_user.email if current_user -%>',
+      user: '<%= escape_javascript current_user.login if current_user -%>',
+      userName: '<%= escape_javascript current_user.name if current_user -%>',
+      userEmail: '<%= escape_javascript current_user.email if current_user -%>',
        lf: {
          enableGravatar: <%= configuration('sonar.lf.enableGravatar', true) %>,
          gravatarServerUrl: '<%= configuration('sonar.lf.gravatarServerUrl') %>'
author	Stas Vilchik <vilchiks@gmail.com>
	Tue, 19 Jan 2016 14:03:31 +0000 (15:03 +0100)
committer	Stas Vilchik <vilchiks@gmail.com>
	Tue, 19 Jan 2016 14:03:38 +0000 (15:03 +0100)