Index: lams_central/web/includes/javascript/learning-design-treeview.js
===================================================================
diff -u -r2e9ff38d5024435ae1fb89e1687fb7de11d335fd -rb4dd2f1d602d62bc4c65971ad9711d48c3a771b9
--- lams_central/web/includes/javascript/learning-design-treeview.js (.../learning-design-treeview.js) (revision 2e9ff38d5024435ae1fb89e1687fb7de11d335fd)
+++ lams_central/web/includes/javascript/learning-design-treeview.js (.../learning-design-treeview.js) (revision b4dd2f1d602d62bc4c65971ad9711d48c3a771b9)
@@ -71,7 +71,8 @@
$.each(response.folders, function(index){
// folderID == -2 is courses folder
var canSave = this.folderID > 0 && !this.isRunSequencesFolder;
- result.push({'text' : (this.isRunSequencesFolder ? runSequencesFolderLabel : this.name)
+ result.push({'text' : (this.isRunSequencesFolder ? runSequencesFolderLabel
+ : ldTreeview.escapeHtml(this.name))
+ (canSave ? '' : ' '),
'nodes' : [],
'folderID' : this.folderID,
@@ -84,9 +85,10 @@
}
if (response.learningDesigns) {
$.each(response.learningDesigns, function(){
- var canModify = canSave && this.canModify;
- result.push({'label' : this.name,
- 'text' : this.name + (this.readOnly ? ' ' : ''),
+ var canModify = canSave && this.canModify,
+ name = ldTreeview.escapeHtml(this.name);
+ result.push({'label' : name,
+ 'text' : name + (this.readOnly ? ' ' : ''),
'learningDesignId' : this.learningDesignId,
'canHaveReadOnly' : canHaveReadOnly,
'canModify' : canModify,
@@ -148,5 +150,17 @@
// update counters for next click
this.nodeLastSelectedTime = currentTimestamp;
this.nodeLastSelectedId = node.nodeId;
+ },
+
+ /**
+ * Escapes HTML tags to prevent XSS injection.
+ */
+ escapeHtml : function(unsafe) {
+ return unsafe
+ .replace(/&/g, "&")
+ .replace(//g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
}
}
\ No newline at end of file