SONAR-6877 SONAR-6878 Fix XSS

author Stas Vilchik <vilchiks@gmail.com>

Tue, 29 Sep 2015 12:01:50 +0000 (14:01 +0200)

committer Stas Vilchik <vilchiks@gmail.com>

Tue, 29 Sep 2015 12:01:56 +0000 (14:01 +0200)
author Stas Vilchik <vilchiks@gmail.com>
Tue, 29 Sep 2015 12:01:50 +0000 (14:01 +0200)
committer Stas Vilchik <vilchiks@gmail.com>
Tue, 29 Sep 2015 12:01:56 +0000 (14:01 +0200)
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/configure.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/configure.html.erb

index 249a17f2a083f363f928ee5c51e93edc01f35a91..8a79823737019a8480f4f79dbafcc31880a69146 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/configure.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/configure.html.erb
@@ -59,7 +59,7 @@
    function init_dashboard() {
      portal = new Portal(options);
    <% if params[:highlight] %>
-    portal.highlightWidget(<%= escape_javascript(params[:highlight]) -%>);
+    portal.highlightWidget('<%= escape_javascript(params[:highlight]) -%>');
    <% end %>
    }
    $j(document).ready(function(){init_dashboard();});
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/server_id_configuration/index.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/server_id_configuration/index.html.erb

index e953a41fe6f9933ec7f6eddaf0a3f3bb7764005e..6e7bb79fa362ddc035edf19dd4df4a9896ed9d31 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/server_id_configuration/index.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/server_id_configuration/index.html.erb
@@ -8,7 +8,7 @@
          <% if @server_id %>
            <p>
              <br/>
-            <span class="<%= @bad_id ? 'error' : 'notice' -%>" id="server_id"><big><%= @server_id -%></big></span>
+            <span class="<%= @bad_id ? 'error' : 'notice' -%>" id="server_id"><big><%= h @server_id -%></big></span>
            <% if @bad_id %>
              <span class="error"><%= message('server_id_configuration.bad_key') -%></span>
            <% end %>
@@ -23,7 +23,7 @@
          <h3><%= message('server_id_configuration.organisation.title') -%></h3>
        </th>
        <td>
-        <input type="text" name="organisation" value="<%= @organisation -%>" size="50"/>
+        <input type="text" name="organisation" value="<%= h @organisation -%>" size="50"/>
          <br/>
          <p class="marginbottom10"><%= message('server_id_configuration.organisation.desc') -%></p>
          <span class="note"><%= message('server_id_configuration.organisation.pattern') -%></span>
@@ -34,7 +34,7 @@
          <h3><%= message('server_id_configuration.ip.title') -%></h3>
        </th>
        <td>
-        <input type="text" name="address" value="<%= @address -%>"/>
+        <input type="text" name="address" value="<%= h @address -%>"/>
          <p class="marginbottom10"><%= message('server_id_configuration.ip.desc') -%></p>
          <ul class="marginbottom10 bullet">
            <% @valid_addresses.each_with_index do |ip_address, index| %>
author	Stas Vilchik <vilchiks@gmail.com>
	Tue, 29 Sep 2015 12:01:50 +0000 (14:01 +0200)
committer	Stas Vilchik <vilchiks@gmail.com>
	Tue, 29 Sep 2015 12:01:56 +0000 (14:01 +0200)
server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/configure.html.erb		patch \| blob \| history
server/sonar-web/src/main/webapp/WEB-INF/app/views/server_id_configuration/index.html.erb		patch \| blob \| history