SONAR-7424 Fix SSF-40 & SSF-41

diff --git a/server/sonar-server/src/main/resources/org/sonar/server/dashboard/widget/events.html.erb b/server/sonar-server/src/main/resources/org/sonar/server/dashboard/widget/events.html.erb
index d6be1d2e6671168ce153eff16dc4e61c50c4f7af..7e34636d15033c5ca4d8149100990856c0ab2d7c 100644 (file)
--- a/server/sonar-server/src/main/resources/org/sonar/server/dashboard/widget/events.html.erb
+++ b/server/sonar-server/src/main/resources/org/sonar/server/dashboard/widget/events.html.erb
@@ -1,4 +1,4 @@
-<% 
+<%
   if @resource.scope=='PRJ'
 
     conditions = "component_uuid=:component_uuid"
@@ -11,7 +11,7 @@
     end
 
     events=Event.find(:all, :conditions => [conditions, values], :order => 'event_date desc')
-    
+
     categories = EventCategory.categories(true)
 %>
 
@@ -77,7 +77,7 @@
       <th colspan="4"></th>
     </tr>
   </thead>
-  
+
   <tbody>
 <%
    events.each do |event|
@@ -91,7 +91,7 @@
     <td x="<%= event.event_date -%>"><%= l(event.event_date.to_date) %></td>
     <td><%= h message('event.category.' + categ, :default => categ) %></td>
     <td>
-      <%= link_to_if profile_data['key'] && profile_data['from'] && profile_data['to'], event.name,
+      <%= link_to_if profile_data['key'] && profile_data['from'] && profile_data['to'], h(event.name),
                              :controller => 'profiles', :action => 'changelog', :key => profile_data['key'],
                              :since =>  profile_data['from'], :to => profile_data['to'] -%>
     </td>

diff --git a/server/sonar-server/src/main/resources/org/sonar/server/dashboard/widget/timeline.html.erb b/server/sonar-server/src/main/resources/org/sonar/server/dashboard/widget/timeline.html.erb
index 2fa6a7a0af09bde92e08367bccb2417390b4f814..f9755436f66e2b2977ca8fb0fbc22cdc041cec6d 100644 (file)
--- a/server/sonar-server/src/main/resources/org/sonar/server/dashboard/widget/timeline.html.erb
+++ b/server/sonar-server/src/main/resources/org/sonar/server/dashboard/widget/timeline.html.erb
@@ -161,7 +161,7 @@
          js_events += "),l:["
          e_details.each() do |e|
            js_events += "{n:\""
-           js_events += json_escape(e.name)
+           js_events += escape_javascript(e.name)
            js_events += "\"},"
          end
          js_events = js_events.chomp(',') + "]},"

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/helpers/dashboard_helper.rb b/server/sonar-web/src/main/webapp/WEB-INF/app/helpers/dashboard_helper.rb
index a42726f1e458cdf6e7008b45cca3120165dca7a7..5b9b21994cb4bffbb8122e6d10623306bb07e69b 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/helpers/dashboard_helper.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/helpers/dashboard_helper.rb
@@ -17,6 +17,7 @@
 # along with this program; if not, write to the Free Software Foundation,
 # Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 #
+include ERB::Util
 module DashboardHelper
   include WidgetPropertiesHelper
   include MetricsHelper
@@ -63,7 +64,7 @@ module DashboardHelper
     label = period_label(snapshot, index)
     if label && snapshot.period_datetime(index)
       selected=(params[:period]==index.to_s ? 'selected' : '')
-      "<option value='#{index}' #{selected} class='#{html_class}'>&Delta; #{label}</option>"
+      "<option value='#{index}' #{selected} class='#{html_class}'>&Delta; #{h(label)}</option>"
     else
       nil
     end