From: Stas Vilchik <vilchiks@gmail.com>
Date: Wed, 15 Oct 2014 13:33:35 +0000 (+0200)
Subject: SSF-21 XSS vulnerability on Measures page
X-Git-Tag: 4.5.1-RC1~27
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=83df107f0e400048a12cc1cac0863f495d64550c;p=sonarqube.git

SSF-21 XSS vulnerability on Measures page
---

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb
index 397b575f01d..168c56d5b9e 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb
@@ -106,8 +106,8 @@
 
 
   var queryParams = [
-    { key: 'qualifiers[]', value: <%= @filter.criteria['qualifiers'].to_json -%> },
-    { key: 'alertLevels[]', value: <%= @filter.criteria['alertLevels'].to_json -%> },
+    { key: 'qualifiers[]', value: <%= json_escape(@filter.criteria['qualifiers'].to_json) -%> },
+    { key: 'alertLevels[]', value: <%= json_escape(@filter.criteria['alertLevels'].to_json) -%> },
     { key: 'fromDate', value: '<%= h @filter.criteria['fromDate'] -%>' },
     { key: 'toDate', value: '<%= h @filter.criteria['toDate'] -%>' },
     { key: 'ageMinDays', value: '<%= h @filter.criteria('ageMinDays') -%>' },