[bug] Template strings passed to javascript were not escaped.

Fixed by escaping them with escape_cstr filter.
sympa-community · Oct 3, 2018 · de3c739 · de3c739
1 parent 441761e
commit de3c739
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 13 deletions.
diff --git a/default/web_tt2/head_javascript.tt2 b/default/web_tt2/head_javascript.tt2
@@ -10,19 +10,19 @@
 <!--
 [%# A few configuration settings and miscellaneous vars. ~%]
 var sympa = {
-    backText:           "[%|loc%]Back[%END%]",
-    calendarButtonText: "[%|loc%]Calendar[%END%]",
+    backText:           '[%"Back"|loc|escape_cstr%]',
+    calendarButtonText: '[%"Calendar"|loc|escape_cstr%]',
     calendarFirstDay:   0,
-    closeText:          "[%|loc%]Close[%END%]",
-    dayNames:           "[%|loc%]Sunday:Monday:Tuesday:Wednesday:Thursday:Friday:Saturday[%END%]".split(":"),
-    dayNamesMin:        "[%|loc%]Su:Mo:Tu:We:Th:Fr:Sa[%END%]".split(":"),
-    home_url:           '[% path_cgi %]/',
-    icons_url:          '[% icons_url %]',
-    lang:               '[% lang %]',
-    loadingText:        "[%|loc%]Please Wait...[%END%]",
-    monthNamesShort:    "[%|loc%]Jan:Feb:Mar:Apr:May:Jun:Jul:Aug:Sep:Oct:Nov:Dec[%END%]".split(":"),
-    openInNewWinText:   "[%|loc%]Open in a new window[%END%]",
-    resetText:          "[%|loc%]Reset[%END%]"
+    closeText:          '[%"Close"|loc|escape_cstr%]',
+    dayNames:           '[%"Sunday:Monday:Tuesday:Wednesday:Thursday:Friday:Saturday"|loc|escape_cstr%]'.split(":"),
+    dayNamesMin:        '[%"Su:Mo:Tu:We:Th:Fr:Sa"|loc|escape_cstr%]'.split(":"),
+    home_url:           '[% path_cgi | escape_cstr %]/',
+    icons_url:          '[% icons_url | escape_cstr %]',
+    lang:               '[% lang | escape_cstr %]',
+    loadingText:        '[%"Please Wait..."|loc|escape_cstr%]',
+    monthNamesShort:    '[%"Jan:Feb:Mar:Apr:May:Jun:Jul:Aug:Sep:Oct:Nov:Dec"|loc|escape_cstr%]'.split(":"),
+    openInNewWinText:   '[%"Open in a new window"|loc|escape_cstr%]',
+    resetText:          '[%"Reset"|loc|escape_cstr%]'
 };
 [%# Variable for backward compatibility. ~%]
 var lang = '[% lang %]';

diff --git a/default/web_tt2/stats.tt2 b/default/web_tt2/stats.tt2
@@ -21,7 +21,7 @@
     <!--
       var line = [% o.stats_values %];
       $.jqplot('[% chartid %]', [line], {
-        title: '[% o.title.replace('([\\\\\'])', '\\\\$1') %]',
+        title: '[% o.title | escape_cstr %]',
         axesDefaults: {
           min: 0,
           tickRenderer: $.jqplot.CanvasAxisTickRenderer,