SONAR-4012 Missing html escape in project name

author: Julien Lancelot <julien.lancelot@gmail.com> 2013-02-07 15:13:42 +0100
committer: Julien Lancelot <julien.lancelot@gmail.com> 2013-02-07 15:14:02 +0100
commit: c2f1b1de11ef071fa40102cacc3a9ba80083fa58 (patch)
tree: 746d746325a165e5e77601cef203d95b0791eb69 /sonar-server
parent: 64cdd30bf4c0df7aa871ec24a17987d9565dea75 (diff)
download: sonarqube-c2f1b1de11ef071fa40102cacc3a9ba80083fa58.tar.gz
sonarqube-c2f1b1de11ef071fa40102cacc3a9ba80083fa58.zip
23 files changed, 31 insertions, 31 deletions
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/helpers/dashboard_helper.rb b/sonar-server/src/main/webapp/WEB-INF/app/helpers/dashboard_helper.rb
index 57a1658c5df..169157424c7 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/helpers/dashboard_helper.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/helpers/dashboard_helper.rb
@@ -122,7 +122,7 @@ module DashboardHelper
   end
 
   def widget_title(widget)
-    resource_name=link_to(@resource.name, {:controller => 'dashboard', :action => 'index', :id => @resource.id}) if @resource && @dashboard.global && !widget.java_definition.global
+    resource_name=link_to(h(@resource.name), {:controller => 'dashboard', :action => 'index', :id => @resource.id}) if @resource && @dashboard.global && !widget.java_definition.global
 
     [resource_name, @widget_title].compact.join(' - ')
   end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/helpers/measures_helper.rb b/sonar-server/src/main/webapp/WEB-INF/app/helpers/measures_helper.rb
index 311ec82e9d0..71e0751eca6 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/helpers/measures_helper.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/helpers/measures_helper.rb
@@ -46,9 +46,9 @@ module MeasuresHelper
       end
 
     elsif column.key=='name'
-      "#{qualifier_icon(row.snapshot)} #{link_to(row.snapshot.resource.name(true), {:controller => 'dashboard', :id => row.snapshot.resource_id}, :title => row.snapshot.resource.key)}"
+      "#{qualifier_icon(row.snapshot)} #{link_to(h(row.snapshot.resource.name(true)), {:controller => 'dashboard', :id => row.snapshot.resource_id}, :title => h(row.snapshot.resource.key))}"
     elsif column.key=='short_name'
-      "#{qualifier_icon(row.snapshot)} #{link_to(row.snapshot.resource.name(false), {:controller => 'dashboard', :id => row.snapshot.resource_id}, :title => row.snapshot.resource.key)}"
+      "#{qualifier_icon(row.snapshot)} #{link_to(h(row.snapshot.resource.name(false)), {:controller => 'dashboard', :id => row.snapshot.resource_id}, :title => h(row.snapshot.resource.key))}"
     elsif column.key=='date'
       human_short_date(row.snapshot.created_at)
     elsif column.key=='key'
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/all_projects/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/all_projects/index.html.erb
index 958b90d68ea..be95bc8400e 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/all_projects/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/all_projects/index.html.erb
@@ -38,7 +38,7 @@
               <td class="thin"><%= link_to_favourite(row.snapshot.resource) -%></td>
             <% end %>
             <td class="nowrap">
-              <%= qualifier_icon(row.snapshot)-%> <%= link_to(row.snapshot.resource.name(true), {:controller => 'dashboard', :id => row.snapshot.resource_id}, :title => row.snapshot.resource.key) -%>
+              <%= qualifier_icon(row.snapshot)-%> <%= link_to(h(row.snapshot.resource.name(true)), {:controller => 'dashboard', :id => row.snapshot.resource_id}, :title => h(row.snapshot.resource.key)) -%>
             </td>
             <td class="sep"></td>
             <td>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/bulk_deletion/ghosts.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/bulk_deletion/ghosts.html.erb
index 77a13a6029e..f7863630c44 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/bulk_deletion/ghosts.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/bulk_deletion/ghosts.html.erb
@@ -42,7 +42,7 @@
       <%
              ghosts.sort {|x,y| x.name <=> y.name}.each_with_index do |resource, index| 
       %>
-          <li><%= h resource.name -%> <span class="small gray">( <%= resource.key -%> )</span></li>
+          <li><%= h resource.name -%> <span class="small gray">( <%= hresource.key -%> )</span></li>
       <% 
              end
       %>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/bulk_deletion/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/bulk_deletion/index.html.erb
index 1341d8b1f3c..5f4965695e7 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/bulk_deletion/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/bulk_deletion/index.html.erb
@@ -64,10 +64,10 @@
             <input id="r-<%= index -%>" type="checkbox" value="<%= resource.id -%>" name="resources[]">
           </td>
           <td>
-            <%= resource.name -%>
+            <%= h resource.name -%>
           </td>
           <td>
-            <span class="small gray"><%= resource.key -%></span></td>
+            <span class="small gray"><%= h resource.key -%></span></td>
           </td>
         </tr>
       <% end %>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/cloud/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/cloud/index.html.erb
index 792188310ac..47fc05228ee 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/cloud/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/cloud/index.html.erb
@@ -64,7 +64,7 @@
            title += " | #{@color_metric.short_name}: #{color_measure.formatted_value}"
          end
   %>
-      <a href="#" onclick="<%= link -%>" title="<%= title -%>"><span style="font-size: <%= font_size(size_measure.value) -%>%;color: <%= MeasureColor.color(color_measure, color_options).html -%>"><%= s.resource.name %></span></a>
+      <a href="#" onclick="<%= link -%>" title="<%= title -%>"><span style="font-size: <%= font_size(size_measure.value) -%>%;color: <%= MeasureColor.color(color_measure, color_options).html -%>"><%= h s.resource.name %></span></a>
     <% end
        end %>
 </div>
 \ No newline at end of file
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/comparison/_versions.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/comparison/_versions.html.erb
index 813d8d4ba12..f2a3be5c321 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/comparison/_versions.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/comparison/_versions.html.erb
@@ -2,7 +2,7 @@
 
   <option value=""></option>
   <% @versions.each do |version| %>
-    <option value="<%= version.snapshot_id -%>"><%= version.name -%></option>
+    <option value="<%= version.snapshot_id -%>"><%= h version.name -%></option>
   <% end %>
   
 <% end %>
 \ No newline at end of file
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/comparison/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/comparison/index.html.erb
index 185d02d6dbf..8aaec00e6b7 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/comparison/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/comparison/index.html.erb
@@ -195,7 +195,7 @@
                  event = s.event(EventCategory::KEY_VERSION)
             %>
               <th style="text-align: center; vertical-align: top;">
-                <a href="<%= ApplicationController.root_context -%>/dashboard/index/<%= s.resource.key -%>"><%= s.resource.name(true) -%></a>
+                <a href="<%= ApplicationController.root_context -%>/dashboard/index/<%= s.resource.key -%>"><%= h s.resource.name(true) -%></a>
                 <br/>
                 <span class="note"><b><%= event ? event.name : message('comparison.version.latest') -%></b></span>
                 <br/>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/components/_list_table_header.rhtml b/sonar-server/src/main/webapp/WEB-INF/app/views/components/_list_table_header.rhtml
index 54b349bd8aa..afac1b9c82c 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/components/_list_table_header.rhtml
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/components/_list_table_header.rhtml
@@ -16,7 +16,7 @@
     <th><% if logged_in? %><%= link_to_favourite(@snapshot.project) -%><% end %></th>
     <th class="left text <%= 'sortfirstasc' if @components_configuration.sorted_by_project_name? -%>">
       <%= qualifier_icon(@snapshot) -%>
-      <a x="<%= u(@snapshot.project.name) -%>" href="<%= ApplicationController.root_context + "/project/index/#{@snapshot.project.id}" -%>"><%= @snapshot.project.name -%></a>
+      <a x="<%= u(@snapshot.project.name) -%>" href="<%= ApplicationController.root_context + "/project/index/#{@snapshot.project.id}" -%>"><%= h @snapshot.project.name -%></a>
     </th>
     <% @columns.each do |column| %>
       <%= get_header_content(column, @snapshot) -%>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/components/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/components/index.html.erb
index be8ab060245..6181db2fa95 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/components/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/components/index.html.erb
@@ -53,9 +53,9 @@
                 <td class="left" x="<%= u(snapshot.project.name) -%>">
                   <%= qualifier_icon(snapshot) %>
                   <% if snapshot.display_dashboard? %>
-                    <%= link_to_resource(project, snapshot.project.name) %>
+                    <%= link_to_resource(project, h(snapshot.project.name)) %>
                   <% else %>
-                    <%= snapshot.project.name %>
+                    <%= h snapshot.project.name %>
                   <% end %>
                 </td>
                 <% @columns.each do |column| %>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb
index 812bac4f904..9369185a671 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/dependencies/index.html.erb
@@ -43,7 +43,7 @@ padding: 5px;
       <% end %>
      <% @resources.each do |resource|%>
       <tr class="<%= cycle('even', 'odd', :name => 'lib') -%> <%= 'selected' if resource==@resource -%>">
-        <td ><%= qualifier_icon(resource) %> <a href="<%= url_for :action => 'index', :overwrite_params => {:version => nil, :resource => resource.kee} -%>"><%= h resource.name(true) -%></a><br/><span class="small gray"><%= resource.kee -%></span></td>
+        <td ><%= qualifier_icon(resource) %> <a href="<%= url_for :action => 'index', :overwrite_params => {:version => nil, :resource => resource.kee} -%>"><%= h resource.name(true) -%></a><br/><span class="small gray"><%= h resource.kee -%></span></td>
       </tr>
       <% end %>
       </tbody>
@@ -86,8 +86,8 @@ padding: 5px;
      <% @project_snapshots.each do |project_snapshot|%>
       <tr class="<%= cycle('even', 'odd', :name => 'dep') -%>">
         <td>
-        <%= qualifier_icon(project_snapshot.project) %> <%= link_to project_snapshot.project.name(true), "#{ApplicationController.root_context}/plugins/resource/#{project_snapshot.project_id}?page=org.sonar.plugins.design.ui.libraries.LibrariesPage&filter=#{@resource.kee}" -%><br/>
-        <span class="small gray"><%= project_snapshot.project.kee -%></span></td>
+        <%= qualifier_icon(project_snapshot.project) %> <%= link_to h(project_snapshot.project.name(true)), "#{ApplicationController.root_context}/plugins/resource/#{project_snapshot.project_id}?page=org.sonar.plugins.design.ui.libraries.LibrariesPage&filter=#{h @resource.kee}" -%><br/>
+        <span class="small gray"><%= h project_snapshot.project.kee -%></span></td>
       </tr>
       <% end %>
       </tbody>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
index 7fb8dce4f36..b19fa6e50ba 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
@@ -71,9 +71,9 @@
                 <%= qualifier_icon(resource) -%>&nbsp;
                 <% if resource.source_code? %>
                   <a href="#" onclick="$j('#col_<%= index -%> tr').removeClass('selected'); $j('#row_<%= index -%>_<%= row_index -%>').addClass('selected'); d(<%= resource.id -%>)"
-                     alt="<%= resource.name(true) -%>" title="<%= resource.name(true) -%>"><%= resource.name(false) -%></a>
+                     alt="<%= h resource.name(true) -%>" title="<%= h resource.name(true) -%>"><%= h resource.name(false) -%></a>
                 <% else %>
-                  <%= link_to(resource.name, {:only_path => true, :overwrite_params => {:rids => (selected ? rids-[resource.id] : rids+[resource.id])}}) -%>
+                  <%= link_to(h(resource.name), {:only_path => true, :overwrite_params => {:rids => (selected ? rids-[resource.id] : rids+[resource.id])}}) -%>
                 <% end %>
               </td>
               <td class="right">
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/violations.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/violations.html.erb
index 26e616f7a5f..66a67705302 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/violations.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/violations.html.erb
@@ -150,7 +150,7 @@
               <%= qualifier_icon(resource) -%>&nbsp;
               <% if resource.source_code? %>
                 <a href="#" onclick="$j('#col_<%= index -%> tr').removeClass('selected'); $j('#row_<%= index -%>_<%= row_index -%>').addClass('selected'); d(<%= resource.id -%>);" 
-                   alt="<%= resource.name(true) -%>" title="<%= resource.name(true) -%>"><%= resource.name(false) %></a>
+                   alt="<%= h resource.name(true) -%>" title="<%= h resource.name(true) -%>"><%= h resource.name(false) %></a>
               <% else %>
                 <%= link_to(h(resource.name), {:only_path => true, :overwrite_params => {:rids => (selected ? rids-[resource.id] : rids+[resource.id])}}) -%>
               <% end %>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
index 9e37fa96731..a429508df4d 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_head.html.erb
@@ -8,7 +8,7 @@
   <%
      if @project
   %>
-    <link rel="alternate" title="Sonar Alerts on <%= @project.name -%>" href="<%= ApplicationController.root_context -%>/feeds/project/<%= @project.key -%>?category=<%= EventCategory::KEY_ALERT -%>" type="application/atom+xml">
+    <link rel="alternate" title="Sonar Alerts on <%= h @project.name -%>" href="<%= ApplicationController.root_context -%>/feeds/project/<%= h @project.key -%>?category=<%= EventCategory::KEY_ALERT -%>" type="application/atom+xml">
   <%
      else
   %>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_iframe.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_iframe.html.erb
index 6e20677bf70..335d92725f4 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_iframe.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_iframe.html.erb
@@ -1,5 +1,5 @@
 <div id="body" class="nolayout">
-  <% if @snapshot %><div class="print"><h2><%= @snapshot.project.name(true) %></h2></div><% end %>
+  <% if @snapshot %><div class="print"><h2><%= h @snapshot.project.name(true) %></h2></div><% end %>
   <div class="error" id="error" style="display:none"><span id="errormsg"></span> &nbsp;&nbsp;[<a href="#" onclick="javascript:$('error').hide();return false;"><%= message('hide').downcase -%></a>]</div>
   <div class="warning" id="warning" style="display:none"><span id="warningmsg"></span> &nbsp;&nbsp;[<a href="#" onclick="javascript:$('warning').hide();return false;"><%= message('hide').downcase -%></a>]</div>
   <div class="notice" id="info" style="display:none"><span id="infomsg"></span> &nbsp;&nbsp;[<a href="#" onclick="javascript:$('info').hide();return false;"><%= message('hide').downcase -%></a>]</div>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
index df6c023d358..1434353b822 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
@@ -162,7 +162,7 @@
     <% end %>
     <div <%= "id='content' class='with_sidebar'" if selected_section -%>>
       <% if @project %>
-        <div class="print"><h2><%= @project.name(true) %></h2></div>
+        <div class="print"><h2><%= h @project.name(true) %></h2></div>
       <% end %>
       <div class="error" id="error" style="display:none">
         <span id="errormsg"></span> &nbsp;&nbsp;[<a href="#" onclick="javascript:$('error').hide();return false;"><%= message('hide').downcase -%></a>]
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_nolayout.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_nolayout.html.erb
index 6e20677bf70..335d92725f4 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_nolayout.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_nolayout.html.erb
@@ -1,5 +1,5 @@
 <div id="body" class="nolayout">
-  <% if @snapshot %><div class="print"><h2><%= @snapshot.project.name(true) %></h2></div><% end %>
+  <% if @snapshot %><div class="print"><h2><%= h @snapshot.project.name(true) %></h2></div><% end %>
   <div class="error" id="error" style="display:none"><span id="errormsg"></span> &nbsp;&nbsp;[<a href="#" onclick="javascript:$('error').hide();return false;"><%= message('hide').downcase -%></a>]</div>
   <div class="warning" id="warning" style="display:none"><span id="warningmsg"></span> &nbsp;&nbsp;[<a href="#" onclick="javascript:$('warning').hide();return false;"><%= message('hide').downcase -%></a>]</div>
   <div class="notice" id="info" style="display:none"><span id="infomsg"></span> &nbsp;&nbsp;[<a href="#" onclick="javascript:$('info').hide();return false;"><%= message('hide').downcase -%></a>]</div>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_cloud.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_cloud.html.erb
index 5838afe905a..651ff421e2c 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_cloud.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_cloud.html.erb
@@ -24,7 +24,7 @@
            title += " | #{filter.display.color_metric.short_name}: #{color_measure.formatted_value}"
          end
   %>
-      <a href="<%= ApplicationController.root_context -%>/dashboard/index/<%= row.snapshot.resource_id -%>" title="<%= title -%>"><span style="font-size: <%= cloud_font_size(size_measure.value, min_size_value, max_size_value) -%>%;color: <%= MeasureColor.color(color_measure, color_options).html -%>"><%= row.snapshot.resource.name %></span></a>
+      <a href="<%= ApplicationController.root_context -%>/dashboard/index/<%= row.snapshot.resource_id -%>" title="<%= title -%>"><span style="font-size: <%= cloud_font_size(size_measure.value, min_size_value, max_size_value) -%>%;color: <%= MeasureColor.color(color_measure, color_options).html -%>"><%= h row.snapshot.resource.name %></span></a>
     <% end
        end %>
 </div>
 \ No newline at end of file
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_duplications.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_duplications.html.erb
index 26e0575634c..e4c8d88f514 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_duplications.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_duplications.html.erb
@@ -58,7 +58,7 @@
             update_snippet_script = "updateDuplicationLines('#{url_for :action => :show_duplication_snippet, :params => {:id => resource.id, :original_resource_id => @resource.id}}',#{group_index}, #{index}, #{lines_count}, #{from_line}, #{included_to_line});"
           %>
             <p id="duplName-<%= group_index -%>-<%= index -%>" class="<%= 'selected' if index==0 -%>">
-              <a href="#" onclick="return <%= update_snippet_script -%>;"><%= resource.name -%></a>
+              <a href="#" onclick="return <%= update_snippet_script -%>;"><%= h resource.name -%></a>
               <%= image_tag "links/external.png" if external -%>
             </p>
           <% end %>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_duplications_source_snippet.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_duplications_source_snippet.html.erb
index a4c3490b177..05bde167327 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_duplications_source_snippet.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_duplications_source_snippet.html.erb
@@ -17,7 +17,7 @@
     <p>
       <%= qualifier_icon(resource) -%>
       <% if resource == original_resource %>
-        <%= resource.name(true) -%>
+        <%= h resource.name(true) -%>
       <% else %>
         <%= link_to_resource(resource, resource.name(true), {:line => from_line}) -%>
       <% end %>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_tabs.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_tabs.html.erb
index bcd361042d6..25d08358daa 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_tabs.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/resource/_tabs.html.erb
@@ -11,11 +11,11 @@
     <div class="source_title">
       <% if @resource.project %>
         <div class="subtitle">
-          <%= @resource.ancestor_projects.reverse.map{|p| p.name(true)}.join(' / ') -%>
+          <%= h @resource.ancestor_projects.reverse.map{|p| p.name(true)}.join(' / ') -%>
         </div>
       <% end %>
       <% if logged_in? %><%= link_to_favourite(@resource) -%><% end %>
-      <span class="h1"><%= qualifier_icon(@resource) -%> <%= @resource.name(true) -%></span>
+      <span class="h1"><%= qualifier_icon(@resource) -%> <%= h @resource.name(true) -%></span>
     </div>
   <% end %>
 
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/_list.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/_list.html.erb
index 938b6870384..47c62b544bd 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/_list.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/_list.html.erb
@@ -57,9 +57,9 @@
             </div>
           </td>
           <td>
-            <span class="nowrap"><%= review.project.name -%></span>
+            <span class="nowrap"><%= h review.project.name -%></span>
             <br/>
-            <span class="note"><%= review.resource.name if review.resource -%></span></td>
+            <span class="note"><%= h(review.resource.name) if review.resource -%></span></td>
           <td><%= review.assignee ? h(review.assignee.name) : '-' -%></td>
           <td><%= distance_of_time_in_words_to_now(review.updated_at) -%></td>
         </tr>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/search/_autocomplete.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/search/_autocomplete.html.erb
index 99e526f81fd..a77fc3a4c44 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/search/_autocomplete.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/search/_autocomplete.html.erb
@@ -18,7 +18,7 @@
               displayed_resource_name=truncate(displayed_resource_name.reverse, :length => 70).reverse
             end
           %>
-          <span><%= qualifier_icon resource -%> <%= highlight(displayed_resource_name, params[:s]) -%></span>
+          <span><%= qualifier_icon resource -%> <%= highlight(h(displayed_resource_name), params[:s]) -%></span>
         </li>
 <%             first=false
              end
author	Julien Lancelot <julien.lancelot@gmail.com>	2013-02-07 15:13:42 +0100
committer	Julien Lancelot <julien.lancelot@gmail.com>	2013-02-07 15:14:02 +0100
commit	c2f1b1de11ef071fa40102cacc3a9ba80083fa58 (patch)
tree	746d746325a165e5e77601cef203d95b0791eb69 /sonar-server
parent	64cdd30bf4c0df7aa871ec24a17987d9565dea75 (diff)
download	sonarqube-c2f1b1de11ef071fa40102cacc3a9ba80083fa58.tar.gz sonarqube-c2f1b1de11ef071fa40102cacc3a9ba80083fa58.zip