From: Julien Lancelot <julien.lancelot@sonarsource.com>
Date: Mon, 22 Dec 2014 14:45:22 +0000 (+0100)
Subject: SSF-26 Cross-Site Scripting on Manual Metrics
X-Git-Tag: 4.5.2~10
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=1990f83bcc2c7999cb4fe78ab1589bc6941bc6dc;p=sonarqube.git

SSF-26 Cross-Site Scripting on Manual Metrics
---

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/metrics/index.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/metrics/index.html.erb
index d308a1f9161..9aa9b6519fd 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/metrics/index.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/metrics/index.html.erb
@@ -38,8 +38,8 @@
             <td class="left" nowrap id="metric_key_<%= metric.key -%>"><span class="note"><%= metric.key -%></span></td>
             <td class="left" nowrap id="metric_name_<%= metric.key -%>"><%= h metric.short_name -%></td>
             <td class="left" id="metric_desc_<%= metric.key -%>"><%= h metric.description -%></td>
-            <td class="left" id="metric_domain_<%= metric.key -%>"><%= metric.domain -%></td>
-            <td class="left" id="metric_type_name<%= metric.key -%>"><%= metric.value_type_name -%></td>
+            <td class="left" id="metric_domain_<%= metric.key -%>"><%= h metric.domain -%></td>
+            <td class="left" id="metric_type_name<%= metric.key -%>"><%= h metric.value_type_name -%></td>
             <td class="right thin nowrap">
             <% if is_admin? %>
              <a id="edit_<%= metric.key.parameterize -%>" href="<%=ApplicationController.root_context-%>/metrics/edit_form/<%= metric.id -%>" id="edit_<%= h(metric.short_name)-%>" class="open-modal link-action">Edit</a>&nbsp;