Commit 491c213a authored by Connor Shea's avatar Connor Shea

Fix unescaped strings in Underscore templates.

parent 65187efa
...@@ -11,11 +11,11 @@ issuable_created = false ...@@ -11,11 +11,11 @@ issuable_created = false
initTemplates: -> initTemplates: ->
Issuable.labelRow = _.template( Issuable.labelRow = _.template(
'<% _.each(labels, function(label){ %> '<% _.each(labels, function(label){ %>
<span class="label-row btn-group" role="group" aria-label="<%= _.escape(label.title) %>" style="color: <%= label.text_color %>;"> <span class="label-row btn-group" role="group" aria-label="<%- label.title %>" style="color: <%- label.text_color %>;">
<a href="#" class="btn btn-transparent has-tooltip" style="background-color: <%= label.color %>;" title="<%= _.escape(label.description) %>" data-container="body"> <a href="#" class="btn btn-transparent has-tooltip" style="background-color: <%- label.color %>;" title="<%- label.description %>" data-container="body">
<%= _.escape(label.title) %> <%- label.title %>
</a> </a>
<button type="button" class="btn btn-transparent label-remove js-label-filter-remove" style="background-color: <%= label.color %>;" data-label="<%= _.escape(label.title) %>"> <button type="button" class="btn btn-transparent label-remove js-label-filter-remove" style="background-color: <%- label.color %>;" data-label="<%- label.title %>">
<i class="fa fa-times"></i> <i class="fa fa-times"></i>
</button> </button>
</span> </span>
......
...@@ -32,9 +32,9 @@ class @LabelsSelect ...@@ -32,9 +32,9 @@ class @LabelsSelect
if issueUpdateURL if issueUpdateURL
labelHTMLTemplate = _.template( labelHTMLTemplate = _.template(
'<% _.each(labels, function(label){ %> '<% _.each(labels, function(label){ %>
<a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name[]=<%= _.escape(label.title) %>"> <a href="<%- ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name[]=<%- label.title %>">
<span class="label has-tooltip color-label" title="<%= _.escape(label.description) %>" style="background-color: <%= label.color %>; color: <%= label.text_color %>;"> <span class="label has-tooltip color-label" title="<%- label.description %>" style="background-color: <%- label.color %>; color: <%- label.text_color %>;">
<%= _.escape(label.title) %> <%- label.title %>
</span> </span>
</a> </a>
<% }); %>' <% }); %>'
......
...@@ -24,14 +24,14 @@ class @MilestoneSelect ...@@ -24,14 +24,14 @@ class @MilestoneSelect
if issueUpdateURL if issueUpdateURL
milestoneLinkTemplate = _.template( milestoneLinkTemplate = _.template(
'<a href="/<%= namespace %>/<%= path %>/milestones/<%= iid %>" class="bold has-tooltip" data-container="body" title="<%= remaining %>"><%= _.escape(title) %></a>' '<a href="/<%- namespace %>/<%- path %>/milestones/<%- iid %>" class="bold has-tooltip" data-container="body" title="<%- remaining %>"><%- title %></a>'
) )
milestoneLinkNoneTemplate = '<span class="no-value">None</span>' milestoneLinkNoneTemplate = '<span class="no-value">None</span>'
collapsedSidebarLabelTemplate = _.template( collapsedSidebarLabelTemplate = _.template(
'<span class="has-tooltip" data-container="body" title="<%= remaining %>" data-placement="left"> '<span class="has-tooltip" data-container="body" title="<%- remaining %>" data-placement="left">
<%= _.escape(title) %> <%- title %>
</span>' </span>'
) )
......
...@@ -61,8 +61,8 @@ class @UsersSelect ...@@ -61,8 +61,8 @@ class @UsersSelect
collapsedAssigneeTemplate = _.template( collapsedAssigneeTemplate = _.template(
'<% if( avatar ) { %> '<% if( avatar ) { %>
<a class="author_link" href="/u/<%= username %>"> <a class="author_link" href="/u/<%- username %>">
<img width="24" class="avatar avatar-inline s24" alt="" src="<%= avatar %>"> <img width="24" class="avatar avatar-inline s24" alt="" src="<%- avatar %>">
<span class="author">Toni Boehm</span> <span class="author">Toni Boehm</span>
</a> </a>
<% } else { %> <% } else { %>
...@@ -72,13 +72,13 @@ class @UsersSelect ...@@ -72,13 +72,13 @@ class @UsersSelect
assigneeTemplate = _.template( assigneeTemplate = _.template(
'<% if (username) { %> '<% if (username) { %>
<a class="author_link bold" href="/u/<%= username %>"> <a class="author_link bold" href="/u/<%- username %>">
<% if( avatar ) { %> <% if( avatar ) { %>
<img width="32" class="avatar avatar-inline s32" alt="" src="<%= avatar %>"> <img width="32" class="avatar avatar-inline s32" alt="" src="<%- avatar %>">
<% } %> <% } %>
<span class="author"><%= name %></span> <span class="author"><%- name %></span>
<span class="username"> <span class="username">
@<%= username %> @<%- username %>
</span> </span>
</a> </a>
<% } else { %> <% } else { %>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment