From: Stas Vilchik <vilchiks@gmail.com>
Date: Tue, 19 Jan 2016 14:03:31 +0000 (+0100)
Subject: SONAR-7214 fix XSS injection on name of new users
X-Git-Tag: 5.4-M9~28
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=43921be268c12f2175555a521d52aa84b0f0cce2;p=sonarqube.git

SONAR-7214 fix XSS injection on name of new users
---

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
index 950d46ca853..c82b0012620 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
@@ -26,9 +26,9 @@
     <%# The two lines below mean that before full removal of Rails, we have to find a way to handle config properties %>
     window.SS = {
       hoursInDay: <%= configuration('sonar.technicalDebt.hoursInDay', 8) %>,
-      user: '<%= current_user.login if current_user -%>',
-      userName: '<%= current_user.name if current_user -%>',
-      userEmail: '<%= current_user.email if current_user -%>',
+      user: '<%= escape_javascript current_user.login if current_user -%>',
+      userName: '<%= escape_javascript current_user.name if current_user -%>',
+      userEmail: '<%= escape_javascript current_user.email if current_user -%>',
       lf: {
         enableGravatar: <%= configuration('sonar.lf.enableGravatar', true) %>,
         gravatarServerUrl: '<%= configuration('sonar.lf.gravatarServerUrl') %>'