From 764cd218c5fc0e26aaaa3cea63d6e1467b15afb0 Mon Sep 17 00:00:00 2001 From: Kushal Pandya Date: Thu, 4 Apr 2019 19:38:22 +0530 Subject: [PATCH] Fix labels selection, escape text in templates --- app/assets/javascripts/labels_select.js | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js index b021dcc1853..7d21a216443 100644 --- a/app/assets/javascripts/labels_select.js +++ b/app/assets/javascripts/labels_select.js @@ -160,7 +160,7 @@ export default class LabelsSelect { * and then remove the excess ones. */ const toRemoveIds = Array.from( - $form.find("input[type='hidden'][name='" + fieldName + "']"), + $form.find(`input[type="hidden"][name="${fieldName}"]`), ) .map(el => el.value) .map(Number); @@ -172,7 +172,8 @@ export default class LabelsSelect { toRemoveIds.forEach(id => { $form - .find("input[type='hidden'][name='" + fieldName + "'][value='" + id + "']") + .find(`input[type="hidden"][name="${fieldName}"][value="${id}"]`) + .last() .remove(); }); } @@ -518,7 +519,7 @@ export default class LabelsSelect { const labelTemplate = _.template( [ '?label_name[]=<%- encodeURIComponent(label.title) %>">', - ' title="<%= tooltipTitleTemplate({ label, isScopedLabel, enableScopedLabels }) %>" style="background-color: <%- label.color %>; color: <%- label.text_color %>;">', + ' title="<%= tooltipTitleTemplate({ label, isScopedLabel, enableScopedLabels, escapeStr }) %>" style="background-color: <%= escapeStr(label.color) %>; color: <%= escapeStr(label.text_color) %>;">', '<%- label.title %>', '', '', @@ -528,7 +529,7 @@ export default class LabelsSelect { const infoIconTemplate = _.template( [ '', - '', + '', '', ].join(''), ); @@ -538,9 +539,9 @@ export default class LabelsSelect { '<% if (isScopedLabel(label) && enableScopedLabels) { %>', "Scoped label", '
', - '<%- label.description %>', + '<%= escapeStr(label.description) %>', '<% } else { %>', - '<%- label.description %>', + '<%= escapeStr(label.description) %>', '<% } %>', ].join(''), ); @@ -552,11 +553,11 @@ export default class LabelsSelect { '<% _.each(labels, function(label){ %>', '<% if (isScopedLabel(label) && enableScopedLabels) { %>', '', - '<%= labelTemplate({ label, issueUpdateURL, isScopedLabel, enableScopedLabels, tooltipTitleTemplate, linkAttrs: \'data-html="true"\' }) %>', - '<%= infoIconTemplate({ label,scopedLabelsDocumentationLink }) %>', + '<%= labelTemplate({ label, issueUpdateURL, isScopedLabel, enableScopedLabels, tooltipTitleTemplate, escapeStr, linkAttrs: \'data-html="true"\' }) %>', + '<%= infoIconTemplate({ label, scopedLabelsDocumentationLink, escapeStr }) %>', '', '<% } else { %>', - '<%= labelTemplate({ label, issueUpdateURL, isScopedLabel, enableScopedLabels, tooltipTitleTemplate, linkAttrs: "" }) %>', + '<%= labelTemplate({ label, issueUpdateURL, isScopedLabel, enableScopedLabels, tooltipTitleTemplate, escapeStr, linkAttrs: "" }) %>', '<% } %>', '<% }); %>', ].join(''), @@ -568,6 +569,7 @@ export default class LabelsSelect { infoIconTemplate, tooltipTitleTemplate, isScopedLabel, + escapeStr: _.escape, }); }