From: Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Date: Tue, 8 Apr 2014 10:28:34 +0000 (+0200)
Subject: Protect agains XSS of user name in issue viewer
X-Git-Tag: 4.3~104
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=5856c3ecdf930faa54ce6f0c28591931c15e0865;p=sonarqube.git

Protect agains XSS of user name in issue viewer
---

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
index 7f15477920d..f83a9992c99 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/issue/_issue.html.erb
@@ -134,7 +134,7 @@
          comment_html_id = "comment-#{comment.key}-#{rand(100)}" %>
       <div class="code-issue-comment" id="<%= comment_html_id -%>" data-comment-key="<%= comment.key -%>">
         <h4>
-          <%= image_tag('reviews/comment.png') -%> &nbsp;<b><%= @issue_results.user(comment.userLogin()).name() -%></b>
+          <%= image_tag('reviews/comment.png') -%> &nbsp;<b><%= h( @issue_results.user(comment.userLogin()).name() ) -%></b>
           (<%= distance_of_time_in_words_to_now(Api::Utils.java_to_ruby_datetime(comment.createdAt)) -%>)
           <% if current_user && current_user.login==comment.userLogin %>
             &nbsp;