Escape all data being turned into HTML. Fixes auxesis#29

edennis-digisynd · Feb 15, 2011 · 982dbfc · 982dbfc
1 parent e5ae56f
commit 982dbfc
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/lib/visage-app/views/profile.haml b/lib/visage-app/views/profile.haml
@@ -4,13 +4,17 @@
 %div#profile
   %h2#profile_name= profile_name
   - @profile.graphs.each do |graph|
-    %div{:id => graph.id, :class => 'graph'}
+    id       = URI.escape(graph.id)
+    host     = URI.escape(graph.host)
+    plugin   = URI.escape(graph.plugin)
+    instance = URI.escape(graph.instances.join(','))
+    %div{:id => id, :class => 'graph'}
       %img{:src => link_to("/images/loader.gif")}
       :javascript
         window.addEvent('domready', function() {
-          var graph = new visageGraph('#{graph.id}', '#{graph.host}', '#{graph.plugin}', {
-            pluginInstance: '#{graph.instances.join(',')}',
-            //name:           '#{graph.plugin} on #{graph.host}',
+          var graph = new visageGraph('#{id}', '#{host}', '#{plugin}', {
+            pluginInstance: '#{instance}',
+            //name:           '#{plugin} on #{host}',
             start:          '#{@start}',
             finish:         '#{@finish}',
             #{ "baseurl: '" + ENV['BASE_URL'].gsub(/^\//, '') if ENV['BASE_URL'] }