removed xss vulnerability from tasks#index

te0d · Nov 16, 2012 · bcb2ed3 · bcb2ed3
1 parent 437b680
commit bcb2ed3
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/app/assets/javascripts/plotting.js.coffee b/app/assets/javascripts/plotting.js.coffee
diff --git a/app/controllers/tasks_controller.rb b/app/controllers/tasks_controller.rb
@@ -17,7 +17,7 @@ def index
 
     for i in 0..6
       @tasks_by_day[i+1] = Array.new
-      @tasks_by_day[i+1][0] = 7-i
+      @tasks_by_day[i+1][0] = "new Date(#{Date.today.year}, 0, #{Date.today.yday - (i)})"
       @tasks_by_day[i+1][1] = 0
     end
 

diff --git a/app/views/hours/_chart.html.erb b/app/views/hours/_chart.html.erb
@@ -13,7 +13,7 @@
 
     var date = new Date(<%= @task.created_at.year %>, 0, <%= @task.created_at.yday - 7 %>)
 
-    <% for day in 1...((Time.zone.now - @task.created_at)/60/60/24 + 7).ceil %>
+    <% for day in 1..((Time.zone.now - @task.created_at)/60/60/24 + 7).ceil %>
       data.addRow([date, <%= @task.ammt_hours_in_range(1, :day, ((Time.zone.now - @task.created_at)/60/60/24 + 7).ceil - day) %>]);
       date = new Date(<%= @task.created_at.year %>, 0, (<%= @task.created_at.yday - 6 + day %>))
     <% end %>

diff --git a/app/views/tasks/_stats.html.erb b/app/views/tasks/_stats.html.erb
@@ -7,7 +7,19 @@
     # to protect from XSS attacks rails escapes quotes and like characters, e.g. &quot;
     # the function raw allows for whatever is entered to be introduced to the source
 %>
-    var data = google.visualization.arrayToDataTable(<%= raw @tasks_by_day.to_s %>);
+    var data = new google.visualization.DataTable();
+    var start_date = new Date();
+    var end_date = new Date(Date.now());
+    start_date.setDate(end_date.getDate()-7);
+
+    data.addColumn('date', 'Date');
+    data.addColumn('number', 'Total');
+
+    <% @tasks.each do |task| %>
+      data.addColumn('number', '<%= task.name %>')
+    <% end %>
+
+    data.addRows(<%= @tasks_by_day[1..-1].reverse.to_s.gsub('"','') %>)
 
     var options = {
       title: 'Tasks over the Past Week'