Merge pull request +15624 from c9/escape-html-issues

fix html escape issues
2017-09-08 12:23:28 +02:00 · 2017-09-08 12:23:28 +02:00 · 672a730a7d
commit 672a730a7d
--- a/plugins/c9.ide.immediate/evaluators/debugnode.js
+++ b/plugins/c9.ide.immediate/evaluators/debugnode.js
@ -1,18 +1,19 @@
 define(function(require, exports, module) {
    main.consumes = [
-        "immediate", "settings", "debugger", "Evaluator", "callstack", "ui"
+        "immediate", "debugger", "Evaluator", "callstack", "ui"
    ];
    main.provides = ["immediate.debugnode"];
    return main;

    function main(options, imports, register) {
        var Evaluator = imports.Evaluator;
-        var settings = imports.settings;
        var debug = imports.debugger;
        var immediate = imports.immediate;
        var callstack = imports.callstack;
        var ui = imports.ui;
        
+        var escapeHTML = require("ace/lib/lang").escapeHTML;
+        
        /***** Initialization *****/
        
        var plugin = new Evaluator("Ajax.org", main.consumes, {
@ -450,7 +451,7 @@ define(function(require, exports, module) {
                    else {
                        // A value of unknown type which does not have any properties - assume it is a language-specific
                        // primitive type.
-                        insert(html, value, name);
+                        insert(html, escapeHTML(value), name);
                    }
                }
            }
--- a/plugins/c9.ide.upload/upload_progress.js
+++ b/plugins/c9.ide.upload/upload_progress.js
@ -16,6 +16,7 @@ define(function(require, exports, module) {
        var css = require("text!./upload_progress.css");
        var TreeData = require("ace_tree/data_provider");
        var Tree = require("ace_tree/tree");
+        var escapeHTML = require("ace/lib/lang").escapeHTML;
        
        var boxUploadActivityMarkup = require("text!./markup/box_upload_activity.xml");
        
@ -79,10 +80,10 @@ define(function(require, exports, module) {
            mdlUploadActivity.rowHeightInner = 20;
            mdlUploadActivity.getContentHTML = function(node) {
                return "<span class='uploadactivity-caption'>"
-                    + node.label
+                    + escapeHTML(node.label)
                    + "</span>"
                    + "<span class='uploadactivity-progress'>"
-                    + (node.progress == undefined ? "&nbsp;" : node.progress + "%") + "</span>"
+                    + (node.progress == undefined ? "&nbsp;" : escapeHTML(node.progress + "%")) + "</span>"
                    + "<span class='uploadactivity-delete'>&nbsp;</span>";
            };
            mdlUploadActivity.updateProgress = function(node, val) {