avoid html injection in item title
authorarno <arenevier@fdn.fr>
Thu, 20 Aug 2009 10:14:05 +0000 (12:14 +0200)
committerarno <arenevier@fdn.fr>
Thu, 20 Aug 2009 12:17:26 +0000 (14:17 +0200)
js/syp.js

index a7586ca7d0fedc4232f1a85318f4bcc19dbba159..8ebc30237507f2c6a6af0985cb59194db5af3895 100644 (file)
--- a/js/syp.js
+++ b/js/syp.js
@@ -212,8 +212,9 @@ var SYP = {
         }
         var contentHTML;
         if (feature.cluster[0].attributes.name) {
+            // escaping name is necessary because it's not enclosed in another html tag.
             contentHTML = "<h2>" +
-                          feature.cluster[0].attributes.name + 
+                          SYP.Utils.escapeHTML(feature.cluster[0].attributes.name) +
                           "</h2>" + 
                           feature.cluster[0].attributes.description;
         } else {
@@ -384,6 +385,18 @@ var SYP = {
             }
             div.style.display = "block";
             div.appendChild(textNode);
+        },
+
+        escapeHTML: function (str) {
+            if (!str) {
+                return "";
+            }
+            return str.
+             replace(/&/gm, '&amp;').
+             replace(/'/gm, '&#39;').
+             replace(/"/gm, '&quot;').
+             replace(/>/gm, '&gt;').
+             replace(/</gm, '&lt;');
         }
     }
 };