From 43921be268c12f2175555a521d52aa84b0f0cce2 Mon Sep 17 00:00:00 2001
From: Stas Vilchik <vilchiks@gmail.com>
Date: Tue, 19 Jan 2016 15:03:31 +0100
Subject: [PATCH] SONAR-7214 fix XSS injection on name of new users

---
 .../main/webapp/WEB-INF/app/views/layouts/_head.html.erb    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
index 950d46ca853..c82b0012620 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
@@ -26,9 +26,9 @@
     <%# The two lines below mean that before full removal of Rails, we have to find a way to handle config properties %>
     window.SS = {
       hoursInDay: <%= configuration('sonar.technicalDebt.hoursInDay', 8) %>,
-      user: '<%= current_user.login if current_user -%>',
-      userName: '<%= current_user.name if current_user -%>',
-      userEmail: '<%= current_user.email if current_user -%>',
+      user: '<%= escape_javascript current_user.login if current_user -%>',
+      userName: '<%= escape_javascript current_user.name if current_user -%>',
+      userEmail: '<%= escape_javascript current_user.email if current_user -%>',
       lf: {
         enableGravatar: <%= configuration('sonar.lf.enableGravatar', true) %>,
         gravatarServerUrl: '<%= configuration('sonar.lf.gravatarServerUrl') %>'
-- 
2.39.5