From: Stas Vilchik <vilchiks@gmail.com>
Date: Mon, 20 Apr 2015 08:59:53 +0000 (+0200)
Subject: fix some XSS
X-Git-Tag: 4.5.5~7
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=b769e4c45a3b127efa189f828ac3e26424125109;p=sonarqube.git

fix some XSS
---

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/no_dashboard.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/no_dashboard.html.erb
index 8802eb19301..cafd00d02e6 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/no_dashboard.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/dashboard/no_dashboard.html.erb
@@ -6,7 +6,7 @@
 <div id="accordion-panel"></div>
 
 <script type="text/javascript">
-  window.fileKey = '<%= @file.key -%>';
-  window.metric = '<%= @metric -%>';
+  window.fileKey = '<%= escape_javascript @file.key -%>';
+  window.metric = '<%= escape_javascript @metric -%>';
   document.getElementById('crumbs').remove();
 </script>
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb
index 1f9d2a805bd..be2d71956a7 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb
@@ -227,9 +227,9 @@
 
   window.drilldown = {
     metric: null,
-    rule: <% if @rule %>'<%= @rule.key -%>'<% else %>null<% end %>,
-    severity: <% if @severity %>'<%= @severity -%>'<% else %>null<% end %>,
-    period: <% if @period %><%= @period -%><% else %>null<% end %>
+    rule: <% if @rule %>'<%= escape_javascript @rule.key -%>'<% else %>null<% end %>,
+    severity: <% if @severity %>'<%= escape_javascript @severity -%>'<% else %>null<% end %>,
+    period: <% if @period %><%= escape_javascript @period -%><% else %>null<% end %>
   };
 </script>
 
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
index 56e4d0500d7..ce20188a8d2 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
@@ -8,7 +8,7 @@
   <div id="snapshot_title" class="page_title">
     <h4>
       <form method="GET" action="<%= url_for :action => 'measures' -%>" style="display: inline">
-        <input type="hidden" name="metric" value="<%= params[:metric] -%>"/>
+        <input type="hidden" name="metric" value="<%= h params[:metric] -%>"/>
 
         <select id="select-comparison" name="period" onchange="submit()">
           <% if @drilldown.display_value? %>
@@ -121,10 +121,10 @@
   <% end %>
 
   window.drilldown = {
-    metric: <% if @metric %>'<%= @metric.key -%>'<% else %>null<% end %>,
+    metric: <% if @metric %>'<%= escape_javascript @metric.key -%>'<% else %>null<% end %>,
     rule: null,
     severity: null,
-    period: <% if @period %><%= @period -%><% else %>null<% end %>
+    period: <% if @period %><%= escape_javascript @period -%><% else %>null<% end %>
   };
 </script>