From: Julien Lancelot <julien.lancelot@gmail.com>
Date: Tue, 27 Aug 2013 10:15:37 +0000 (+0200)
Subject: SONAR-4269 Escape rule name to prevent XSS
X-Git-Tag: 3.7.1-RC1-~47
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=550899a13480fae40988025213459617c56450b4;p=sonarqube.git

SONAR-4269 Escape rule name to prevent XSS
---

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
index f8901aa0ee4..6e1cb2eeeed 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
@@ -1,4 +1,4 @@
-<div class="code-issue" data-issue-key="<%= issue.key -%>" data-issue-component="<%= issue.componentKey() -%>" data-issue-rule="<%= issue.ruleKey().toString() -%>">
+<div class="code-issue" data-issue-key="<%= issue.key -%>" data-issue-component="<%= issue.componentKey() -%>" data-issue-rule="<%= u issue.ruleKey().toString() -%>">
   <div class="code-issue-name">
     <div style="float: right">
       <a href="#" onclick="return openIssuePopup(this)" class="issue-permalink"><img src="<%= ApplicationController.root_context -%>/images/new-window-16.gif"></a>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb
index 279ccb735a8..a0165ac138f 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_rule.html.erb
@@ -13,7 +13,7 @@
 <% end %>
 
 <div class="note">
-  <%= @rule.plugin_name -%>
+  <%= h @rule.plugin_name -%>
   &nbsp;<%= image_tag 'sep12.png' -%>&nbsp;
-  <a href="#" onclick="return openIssueRulePopup(this)"><%= @rule.plugin_rule_key -%></a>
+  <a href="#" onclick="return openIssueRulePopup(this)"><%= h @rule.plugin_rule_key -%></a>
 </div>
\ No newline at end of file
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb
index f86cba607ad..8ccefcb5c1d 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/rules/_show_modal.html.erb
@@ -1,7 +1,7 @@
 <% if @rule %>
 <div class="modal-head">
   <h2 class="rule-title">
-    <%= @rule.name %>
+    <%= h @rule.name %>
   </h2>
   <% unless @rule.ready? %>
     <div class="rule-status">
@@ -13,7 +13,7 @@
     </div>
   <% end %>
   <ul class="modal-head-metadata">
-    <li><%= @rule.plugin_name -%> : <%= @rule.plugin_rule_key -%></li>
+    <li><%= h @rule.plugin_name -%> : <%= h @rule.plugin_rule_key -%></li>
   </ul>
 </div>
 
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb
index ab37ce9e1df..2258fdd293e 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/rules/show.html.erb
@@ -1,5 +1,5 @@
 <div>
-  <h1 class="rule-title"><%= @rule.name %></h1>
+  <h1 class="rule-title"><%= h @rule.name %></h1>
   <% unless @rule.ready? %>
     <div class="rule-status">
       <% if @rule.beta? %>
@@ -12,7 +12,7 @@
 </div>
 
 <div class="subtitle">
-<%= @rule.plugin_name -%> : <%= @rule.plugin_rule_key -%>
+<%= h @rule.plugin_name -%> : <%= h @rule.plugin_rule_key -%>
 </div>
 
 <div class="rule_detail">