Fix XSS vulnerabilities in manual rules

author Simon Brandhof <simon.brandhof@gmail.com>

Tue, 29 Oct 2013 11:31:32 +0000 (12:31 +0100)

committer Simon Brandhof <simon.brandhof@gmail.com>

Tue, 29 Oct 2013 11:31:32 +0000 (12:31 +0100)
author Simon Brandhof <simon.brandhof@gmail.com>
Tue, 29 Oct 2013 11:31:32 +0000 (12:31 +0100)
committer Simon Brandhof <simon.brandhof@gmail.com>
Tue, 29 Oct 2013 11:31:32 +0000 (12:31 +0100)
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_create_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_create_form.html.erb

index 3a7350ae60545c0b7e86e558fe3ddc529d579136..060c12253d0529f949d383e8a5ab71e9c534b830 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_create_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_create_form.html.erb
@@ -7,16 +7,16 @@
  
            <div class="modal-body">
                <% if @error  %>
-                  <p class="error"><%= @error -%></p>
+                  <p class="error"><%= h @error -%></p>
                <% end %>
              <div class="modal-field">
-              <label for="manual_rules[]">Name<em class="mandatory">*</em>:</label>
+              <label for="manual_rules[]">Name <em class="mandatory">*</em></label>
                <input type="text" name="name" value=""/>
                <br/>
                <span class="desc">Ex. : Performance</span>
              </div>
              <div class="modal-field">
-              <label for="manual_rules[]">Description:</label>
+              <label for="manual_rules[]">Description <em class="mandatory">*</em></label>
                <textarea rows="5" cols="25" name="description"></textarea>
                <br/>
              </div>
@@ -32,4 +32,4 @@
  
  <script>
    $j("#manual-rules-form").modalForm();
-</script>
-\ No newline at end of file
+</script>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_edit_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_edit_form.html.erb

index a09e22f07dc7859454230e827fdced4a2f80151e..5dec7c2466354256bc6a2a87c8eb66fbdc53fbc7 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_edit_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_edit_form.html.erb
@@ -2,23 +2,23 @@
    <form action="<%= ApplicationController.root_context -%>/manual_rules/edit" method="POST" id="manual-rules-form">
      <fieldset>
        <div class="modal-head">
-          <h2>Edit Manual Rule: <%= @rule.name -%></h2>
+          <h2>Edit Manual Rule: <%= h @rule.name -%></h2>
        </div>
  
        <div class="modal-body">
            <% if @error  %>
-            <p class="error"><%= @error -%></p>
+            <p class="error"><%= h @error -%></p>
            <% end %>
          <input type="hidden" name="id" value="<%= @rule.id -%>"/>
          <div class="modal-field">
-          <label for="manual_rules[]">Name<em class="mandatory">*</em>:</label>
+          <label for="manual_rules[]">Name <em class="mandatory">*</em></label>
            <input type="text" name="name" value="<%= h @rule.name -%>"/>
            <br/>
            <span class="desc">Ex. : Performance</span>
          </div>
          <div class="modal-field">
-          <label for="manual_rules[]">Description:</label>
-          <textarea rows="5" cols="25" name="description"><%= h(@rule.description) -%></textarea>
+          <label for="manual_rules[]">Description <em class="mandatory">*</em></label>
+          <textarea rows="5" cols="25" name="description"><%= h @rule.description -%></textarea>
            <br/>
          </div>
        </div>
@@ -33,4 +33,4 @@
  
  <script>
    $j("#manual-rules-form").modalForm();
-</script>
-\ No newline at end of file
+</script>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/index.html.erb

index 8925d722f317ab47d997ced7cf23555115840fd2..4c271d550ebc81343e4432a5ee1dab17bd703cdc 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/index.html.erb
@@ -37,7 +37,7 @@
                  &nbsp;
                <%= link_to_action message('delete'), "#{ApplicationController.root_context}/manual_rules/delete/#{rule.id}",
                   :class => 'link-action link-red',
-                 :id => "delete_#{u(rule.key)}",
+                 :id => "delete_#{rule.key.parameterize}",
                   :confirm_button => message('delete'),
                   :confirm_title => 'Delete rule: '+rule.name,
                   :confirm_msg => 'Are you sure?',
author	Simon Brandhof <simon.brandhof@gmail.com>
	Tue, 29 Oct 2013 11:31:32 +0000 (12:31 +0100)
committer	Simon Brandhof <simon.brandhof@gmail.com>
	Tue, 29 Oct 2013 11:31:32 +0000 (12:31 +0100)
sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_create_form.html.erb		patch \| blob \| history
sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/_edit_form.html.erb		patch \| blob \| history
sonar-server/src/main/webapp/WEB-INF/app/views/manual_rules/index.html.erb		patch \| blob \| history