SONAR-4269 Use html_escape function on some variables to prevent XSS

6 files changed, 10 insertions, 10 deletions

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb
index 9369185a671..195facdec93 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb
@@ -26,7 +26,7 @@ padding: 5px;
 </style>
 <% end %>
 <form action="<%= ApplicationController.root_context -%>/dependencies/index" id="search_form">
-  <input type="text" name="search" value="<%= params[:search] -%>" id="search_input"> </input>
+  <input type="text" name="search" value="<%= h params[:search] -%>" id="search_input"> </input>
   <input type="submit" value="<%= message('dependencies.search_library') -%>" id="search_submit"/><br/>
   <p class="small gray"><%= message('dependencies.search_help') -%></p>
 </form>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb
index 7084251ccd0..61351fdc1b5 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb
@@ -15,8 +15,8 @@
         <tbody >
         <% @groups.each do |group|%>
           <tr id="group-<%= u group.name -%>">
-            <td class="left"><%= group.name %></td>
-            <td class="left" style="word-break:break-all"><%=group.description%></td>
+            <td class="left"><%= h group.name %></td>
+            <td class="left" style="word-break:break-all"><%= h group.description%></td>
             <td class="left">
               <span id="count-<%= u group.name -%>"><%= group.users.count %></span> (<%= link_to "select", { :action => 'select_user', :id => group.id}, {:id => "select-#{u group.name}", :class => 'link-action'} %>)
             </td>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb
index cb724249258..d3835282522 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb
@@ -12,7 +12,7 @@
             <h2>Non-members</h2>
             <select name="from" id="from" size="30" style="margin: 5px 0pt; width: 300px;" multiple="multiple">
               <% @group.available_users.sort.each do |user| %>
-                <option value="<%= user.id -%>"><%= user.name -%></option>
+                <option value="<%= user.id -%>"><%= h user.name -%></option>
               <% end %>
             </select>
           </td>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb
index 4ed50332007..14b862a081c 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/gwt/_base.html.erb
@@ -20,7 +20,7 @@
       index=0
       params.each do |key,value|
     %>
-    <%= ',' if index>0 -%>"<%= key -%>":"<%= h(value) -%>"
+    <%= ',' if index>0 -%>"<%= h(key) -%>":"<%= h(value) -%>"
     <%
         index+=1
       end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
index 1fad73248e2..363c276bb17 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
@@ -4,7 +4,7 @@
      selected_section = Navigation::SECTION_HOME
    end
    @project=@resource unless @project || selected_section==Navigation::SECTION_HOME
-   period_param = "period=#{params[:period]}" if params[:period]
+   period_param = "period=#{h(params[:period])}" if params[:period]
 %>
 <div id="container">
   <%= yield :header -%>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_options.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_options.html.erb
index 5047c094f36..09f817ea2e0 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_options.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_options.html.erb
@@ -7,15 +7,15 @@
       applyOptions = function (elt) {
         var currentForm = $j(elt).closest('.options-form');
         var params = currentForm.serialize();
-        var url = '<%= ApplicationController.root_context -%>/resource/index/<%= @resource.key %>?display_title=<%= params[:display_title].to_s -%>&'+ params;
+        var url = '<%= ApplicationController.root_context -%>/resource/index/<%= h @resource.key %>?display_title=<%= h params[:display_title].to_s -%>&'+ params;
         openAccordionItem(url, elt, true);
         return true;
       };
     </script>
     <form method="GET" action="<%= url_for :controller => 'resource', :action => 'index', :id => @resource.key -%>" class="options-form">
-      <input type="hidden" name="tab" value="<%= params[:tab] -%>"/>
-      <input type="hidden" name="metric" value="<%= params[:metric] -%>"/>
-      <input type="hidden" name="period" value="<%= params[:period] -%>"/>
+      <input type="hidden" name="tab" value="<%= h params[:tab] -%>"/>
+      <input type="hidden" name="metric" value="<%= h params[:metric] -%>"/>
+      <input type="hidden" name="period" value="<%= h params[:period] -%>"/>
 
       <table>
         <tr>