From 83df107f0e400048a12cc1cac0863f495d64550c Mon Sep 17 00:00:00 2001
From: Stas Vilchik <vilchiks@gmail.com>
Date: Wed, 15 Oct 2014 15:33:35 +0200
Subject: [PATCH] SSF-21 XSS vulnerability on Measures page

---
 .../main/webapp/WEB-INF/app/views/measures/search.html.erb    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb
index 397b575f01d..168c56d5b9e 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/measures/search.html.erb
@@ -106,8 +106,8 @@
 
 
   var queryParams = [
-    { key: 'qualifiers[]', value: <%= @filter.criteria['qualifiers'].to_json -%> },
-    { key: 'alertLevels[]', value: <%= @filter.criteria['alertLevels'].to_json -%> },
+    { key: 'qualifiers[]', value: <%= json_escape(@filter.criteria['qualifiers'].to_json) -%> },
+    { key: 'alertLevels[]', value: <%= json_escape(@filter.criteria['alertLevels'].to_json) -%> },
     { key: 'fromDate', value: '<%= h @filter.criteria['fromDate'] -%>' },
     { key: 'toDate', value: '<%= h @filter.criteria['toDate'] -%>' },
     { key: 'ageMinDays', value: '<%= h @filter.criteria('ageMinDays') -%>' },
-- 
2.39.5