SONAR-3016 Escape filter name and key

author David Gageot <david@gageot.net>

Wed, 23 May 2012 15:22:20 +0000 (17:22 +0200)

committer David Gageot <david@gageot.net>

Wed, 23 May 2012 15:22:20 +0000 (17:22 +0200)
author David Gageot <david@gageot.net>
Wed, 23 May 2012 15:22:20 +0000 (17:22 +0200)
committer David Gageot <david@gageot.net>
Wed, 23 May 2012 15:22:20 +0000 (17:22 +0200)
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/helpers/widget_properties_helper.rb b/sonar-server/src/main/webapp/WEB-INF/app/helpers/widget_properties_helper.rb

index f3fd3475ce7d602de8c3e40c1984fa1d801ce537..56aa47c93cce2060181b8efb132c0f236b38eea4 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/helpers/widget_properties_helper.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/helpers/widget_properties_helper.rb
@@ -52,15 +52,15 @@ module WidgetPropertiesHelper
    end
  
    def options_id(value, values)
-    values.collect { |f| "<option value='#{f.id}'" + (value.to_s == f.id.to_s ? " selected='selected'" : "") + ">#{f.name}</option>" }.to_s
+    values.collect { |f| "<option value='#{f.id}'" + (value.to_s == f.id.to_s ? " selected='selected'" : "") + ">#{h(f.name)}</option>" }.to_s
    end
  
    def options_key(value, values)
-    values.collect { |f| "<option value='#{f.key}'" + (value.to_s == f.key ? " selected='selected'" : "") + ">#{f.name}</option>" }.to_s
+    values.collect { |f| "<option value='#{h(f.key)}'" + (value.to_s == f.key ? " selected='selected'" : "") + ">#{h(f.name)}</option>" }.to_s
    end
  
    def option_group(name, options)
-    options.empty? ? '' : "<optgroup label=\"#{name}\">" + options + "</optgroup>"
+    options.empty? ? '' : "<optgroup label=\"#{h(name)}\">" + options + "</optgroup>"
    end
  
  end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/dashboard/_widget_title.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/dashboard/_widget_title.html.erb

index 0be79c9ef20f0a74b306aeb673a74da2952f4aa4..448a892f080036505fd014c5e44dd22f1e867d35 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/dashboard/_widget_title.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/dashboard/_widget_title.html.erb
@@ -1,10 +1,10 @@
  <% if widget.properties_as_hash['filter'] and @filter %>
    <div class="widget-title" id="widget_title_<%= widget.id -%>">
-    <%= @filter.name -%>
+    <%= h @filter.name -%>
      <% if @filter.period_index %>
-      (<%= period_names[@filter.period_index-1] -%>)
+      (<%= h period_names[@filter.period_index-1] -%>)
      <% end %>
    </div>
  <% elsif @dashboard.global and @resource and !widget.java_definition.global %>
-  <div class="widget-title" id="widget_title_<%= widget.id -%>"><%= @resource.name -%></div>
+  <div class="widget-title" id="widget_title_<%= widget.id -%>"><%= h @resource.name -%></div>
  <% end %>
author	David Gageot <david@gageot.net>
	Wed, 23 May 2012 15:22:20 +0000 (17:22 +0200)
committer	David Gageot <david@gageot.net>
	Wed, 23 May 2012 15:22:20 +0000 (17:22 +0200)
sonar-server/src/main/webapp/WEB-INF/app/helpers/widget_properties_helper.rb		patch \| blob \| history
sonar-server/src/main/webapp/WEB-INF/app/views/dashboard/_widget_title.html.erb		patch \| blob \| history