From 2602dbb67288590f92ff7dfe01ce896ed3677436 Mon Sep 17 00:00:00 2001
From: slawa <hellbrus@yahoo.com>
Date: Mon, 19 May 2014 14:51:59 +0300
Subject: [PATCH] Escape html/script data that is introduced in field  tittle
 of cost report

---
 .../javascripts/reporting_engine/reporting/controls.js     | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/assets/javascripts/reporting_engine/reporting/controls.js b/lib/assets/javascripts/reporting_engine/reporting/controls.js
index f2ab169046..b569ef6be5 100644
--- a/lib/assets/javascripts/reporting_engine/reporting/controls.js
+++ b/lib/assets/javascripts/reporting_engine/reporting/controls.js
@@ -63,6 +63,11 @@ Reporting.Controls = {
       onFailure: function (editor, response) {
         Reporting.flash(response.responseText);
       },
+      ajaxOptions: {
+        onSuccess: function (xhr) {
+            xhr.responseText = OpenProject.Helpers.markupEscape(xhr.responseText);
+        }
+      },
       onComplete: function () {
         Reporting.Controls.update_report_lists();
       }
@@ -207,5 +212,3 @@ Reporting.onload(function () {
   Reporting.Controls.attach_settings_callback($("query-icon-apply-button"), Reporting.Controls.update_result_table);
   Reporting.Controls.observe_click($('query-link-clear'), Reporting.Controls.clear_query);
 });
-
-