From 1c6de01edf6838f8c6362dc5ff439021aeb13d13 Mon Sep 17 00:00:00 2001 From: Julien Lancelot Date: Mon, 12 Aug 2013 14:42:12 +0200 Subject: [PATCH] SONAR-4269 Use html_escape function on some variables to prevent XSS --- .../webapp/WEB-INF/app/views/dependencies/index.html.erb | 2 +- .../main/webapp/WEB-INF/app/views/groups/index.html.erb | 4 ++-- .../webapp/WEB-INF/app/views/groups/select_user.html.erb | 2 +- .../src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb | 2 +- .../webapp/WEB-INF/app/views/layouts/_layout.html.erb | 2 +- .../webapp/WEB-INF/app/views/resource/_options.html.erb | 8 ++++---- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb index 9369185a671..195facdec93 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb @@ -26,7 +26,7 @@ padding: 5px; <% end %>
- +

<%= message('dependencies.search_help') -%>

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb index 7084251ccd0..61351fdc1b5 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb @@ -15,8 +15,8 @@ <% @groups.each do |group|%> - <%= group.name %> - <%=group.description%> + <%= h group.name %> + <%= h group.description%> <%= group.users.count %> (<%= link_to "select", { :action => 'select_user', :id => group.id}, {:id => "select-#{u group.name}", :class => 'link-action'} %>) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb index cb724249258..d3835282522 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb @@ -12,7 +12,7 @@

Non-members

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb index 4ed50332007..14b862a081c 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb @@ -20,7 +20,7 @@ index=0 params.each do |key,value| %> - <%= ',' if index>0 -%>"<%= key -%>":"<%= h(value) -%>" + <%= ',' if index>0 -%>"<%= h(key) -%>":"<%= h(value) -%>" <% index+=1 end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb index 1fad73248e2..363c276bb17 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb @@ -4,7 +4,7 @@ selected_section = Navigation::SECTION_HOME end @project=@resource unless @project || selected_section==Navigation::SECTION_HOME - period_param = "period=#{params[:period]}" if params[:period] + period_param = "period=#{h(params[:period])}" if params[:period] %>
<%= yield :header -%> diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_options.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_options.html.erb index 5047c094f36..09f817ea2e0 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_options.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_options.html.erb @@ -7,15 +7,15 @@ applyOptions = function (elt) { var currentForm = $j(elt).closest('.options-form'); var params = currentForm.serialize(); - var url = '<%= ApplicationController.root_context -%>/resource/index/<%= @resource.key %>?display_title=<%= params[:display_title].to_s -%>&'+ params; + var url = '<%= ApplicationController.root_context -%>/resource/index/<%= h @resource.key %>?display_title=<%= h params[:display_title].to_s -%>&'+ params; openAccordionItem(url, elt, true); return true; };
- - - + + + -- 2.39.5