From 441da3baad4720c4ff62f2b6eda1cc6af08ab1b8 Mon Sep 17 00:00:00 2001
From: arno <arenevier@fdn.fr>
Date: Thu, 20 Aug 2009 12:14:05 +0200
Subject: [PATCH] avoid html injection in item title

---
 js/syp.js | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/js/syp.js b/js/syp.js
index a7586ca..8ebc302 100644
--- a/js/syp.js
+++ b/js/syp.js
@@ -212,8 +212,9 @@ var SYP = {
         }
         var contentHTML;
         if (feature.cluster[0].attributes.name) {
+            // escaping name is necessary because it's not enclosed in another html tag.
             contentHTML = "<h2>" +
-                          feature.cluster[0].attributes.name + 
+                          SYP.Utils.escapeHTML(feature.cluster[0].attributes.name) +
                           "</h2>" + 
                           feature.cluster[0].attributes.description;
         } else {
@@ -384,6 +385,18 @@ var SYP = {
             }
             div.style.display = "block";
             div.appendChild(textNode);
+        },
+
+        escapeHTML: function (str) {
+            if (!str) {
+                return "";
+            }
+            return str.
+             replace(/&/gm, '&amp;').
+             replace(/'/gm, '&#39;').
+             replace(/"/gm, '&quot;').
+             replace(/>/gm, '&gt;').
+             replace(/</gm, '&lt;');
         }
     }
 };
-- 
2.39.2