SSF-21 XSS vulnerability on Measures page

author Stas Vilchik <vilchiks@gmail.com>

Wed, 15 Oct 2014 13:33:35 +0000 (15:33 +0200)

committer Stas Vilchik <vilchiks@gmail.com>

Wed, 15 Oct 2014 13:33:35 +0000 (15:33 +0200)
author Stas Vilchik <vilchiks@gmail.com>
Wed, 15 Oct 2014 13:33:35 +0000 (15:33 +0200)
committer Stas Vilchik <vilchiks@gmail.com>
Wed, 15 Oct 2014 13:33:35 +0000 (15:33 +0200)
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb

index 397b575f01d21164ec40423338cf6c5750c32a84..168c56d5b9e0e5e439068053761fc53b2fb008c8 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb
@@ -106,8 +106,8 @@
  
  
    var queryParams = [
-    { key: 'qualifiers[]', value: <%= @filter.criteria['qualifiers'].to_json -%> },
-    { key: 'alertLevels[]', value: <%= @filter.criteria['alertLevels'].to_json -%> },
+    { key: 'qualifiers[]', value: <%= json_escape(@filter.criteria['qualifiers'].to_json) -%> },
+    { key: 'alertLevels[]', value: <%= json_escape(@filter.criteria['alertLevels'].to_json) -%> },
      { key: 'fromDate', value: '<%= h @filter.criteria['fromDate'] -%>' },
      { key: 'toDate', value: '<%= h @filter.criteria['toDate'] -%>' },
      { key: 'ageMinDays', value: '<%= h @filter.criteria('ageMinDays') -%>' },
author	Stas Vilchik <vilchiks@gmail.com>
	Wed, 15 Oct 2014 13:33:35 +0000 (15:33 +0200)
committer	Stas Vilchik <vilchiks@gmail.com>
	Wed, 15 Oct 2014 13:33:35 +0000 (15:33 +0200)