]> source.dussan.org Git - sonarqube.git/commitdiff
projects / sonarqube.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5b3813a)
SONAR-4269 Escape rule name to prevent XSS
authorJulien Lancelot <julien.lancelot@gmail.com>
Tue, 27 Aug 2013 10:15:37 +0000 (12:15 +0200)
committerJulien Lancelot <julien.lancelot@gmail.com>
Tue, 27 Aug 2013 10:15:37 +0000 (12:15 +0200)
sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb patch | blob | history
sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb patch | blob | history
sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb patch | blob | history
sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb patch | blob | history

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
index f8901aa0ee43d0cd1bda7a498bed74c5ec266d40..6e1cb2eeeed9d728af81a9e0b1233a056aee013c 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
@@ -1,4 +1,4 @@
-<div class="code-issue" data-issue-key="<%= issue.key -%>" data-issue-component="<%= issue.componentKey() -%>" data-issue-rule="<%= issue.ruleKey().toString() -%>">
+<div class="code-issue" data-issue-key="<%= issue.key -%>" data-issue-component="<%= issue.componentKey() -%>" data-issue-rule="<%= issue.ruleKey().toString() -%>">
   <div class="code-issue-name">
     <div style="float: right">
       <a href="#" onclick="return openIssuePopup(this)" class="issue-permalink"><img src="<%= ApplicationController.root_context -%>/images/new-window-16.gif"></a>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb
index 279ccb735a842d1a2ea36262a2d880f6ba8c3afe..a0165ac138feb914e64ff6571db1b7dece93627b 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb
@@ -13,7 +13,7 @@
 <% end %>
 
 <div class="note">
-  <%= @rule.plugin_name -%>
+  <%= @rule.plugin_name -%>
   &nbsp;<%= image_tag 'sep12.png' -%>&nbsp;
-  <a href="#" onclick="return openIssueRulePopup(this)"><%= @rule.plugin_rule_key -%></a>
+  <a href="#" onclick="return openIssueRulePopup(this)"><%= @rule.plugin_rule_key -%></a>
 </div>
\ No newline at end of file
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb
index f86cba607ad8ecc7af916a84a68b4161c8947e65..8ccefcb5c1d485c171800402303f2e213aa613f5 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb
@@ -1,7 +1,7 @@
 <% if @rule %>
 <div class="modal-head">
   <h2 class="rule-title">
-    <%= @rule.name %>
+    <%= @rule.name %>
   </h2>
   <% unless @rule.ready? %>
     <div class="rule-status">
@@ -13,7 +13,7 @@
     </div>
   <% end %>
   <ul class="modal-head-metadata">
-    <li><%= @rule.plugin_name -%> : <%= @rule.plugin_rule_key -%></li>
+    <li><%= h @rule.plugin_name -%> : <%= h @rule.plugin_rule_key -%></li>
   </ul>
 </div>
 
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb
index ab37ce9e1df43722907464c45fb22a6c3853f624..2258fdd293eff3b05684487a1e46d0e348c1eddb 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb
@@ -1,5 +1,5 @@
 <div>
-  <h1 class="rule-title"><%= @rule.name %></h1>
+  <h1 class="rule-title"><%= @rule.name %></h1>
   <% unless @rule.ready? %>
     <div class="rule-status">
       <% if @rule.beta? %>
@@ -12,7 +12,7 @@
 </div>
 
 <div class="subtitle">
-<%= @rule.plugin_name -%> : <%= @rule.plugin_rule_key -%>
+<%= h @rule.plugin_name -%> : <%= h @rule.plugin_rule_key -%>
 </div>
 
 <div class="rule_detail">
Continuous Inspection: https://github.com/SonarSource/sonarqube