Merge pull request #31 from finnlabs/stable_fix/7505_HTML_scripts_are_not_escaped

[Stable][Fix] 7505 html scripts are not escaped
11 years ago · b05301d38a
parent f81b1f53c7 14b36d9437
commit b05301d38a
1 changed files with 5 additions and 2 deletions
--- a/lib/assets/javascripts/reporting_engine/reporting/controls.js
+++ b/lib/assets/javascripts/reporting_engine/reporting/controls.js
@ -63,6 +63,11 @@ Reporting.Controls = {
      onFailure: function (editor, response) {
        Reporting.flash(response.responseText);
      },
+      ajaxOptions: {
+        onSuccess: function (xhr) {
+            xhr.responseText = OpenProject.Helpers.markupEscape(xhr.responseText);
+        }
+      },
      onComplete: function () {
        Reporting.Controls.update_report_lists();
      }
@ -207,5 +212,3 @@ Reporting.onload(function () {
  Reporting.Controls.attach_settings_callback($("query-icon-apply-button"), Reporting.Controls.update_result_table);
  Reporting.Controls.observe_click($('query-link-clear'), Reporting.Controls.clear_query);
 });
-
-