Make sure 'Content-Type: application/json' is sent w/ default result of Dashboard.getAllDashboards controller action and use $.text for untrusted content in three places in dashboard.js.

author: Benaka Moorthi <benaka.moorthi@gmail.com> 2013-06-19 10:40:05 +0400
committer: Benaka Moorthi <benaka.moorthi@gmail.com> 2013-06-19 10:40:05 +0400
commit: e8ec08565cf6975c57323fa3eb2535b664f6b8b7 (patch)
tree: 687f35ab83502159b1bbdd8a96cdaa28cf8fa78e /plugins
parent: f9af4b22914721e71f9f430ffa00be8a2d156158 (diff)
2 files changed, 6 insertions, 3 deletions
diff --git a/plugins/Dashboard/Controller.php b/plugins/Dashboard/Controller.php
index 0fdbba275f..b9e84b891b 100644
--- a/plugins/Dashboard/Controller.php
+++ b/plugins/Dashboard/Controller.php
@@ -153,8 +153,11 @@ class Piwik_Dashboard_Controller extends Piwik_Controller
     public function getAllDashboards()
     {
         $this->checkTokenInUrl();
+        
         if (Piwik::isUserIsAnonymous()) {
+            Piwik_DataTable_Renderer_Json::sendHeaderJSON();
             echo '[]';
+            
             return;
         }
 
diff --git a/plugins/Dashboard/templates/dashboard.js b/plugins/Dashboard/templates/dashboard.js
index 40a3cb04fd..ee9ec8867b 100644
--- a/plugins/Dashboard/templates/dashboard.js
+++ b/plugins/Dashboard/templates/dashboard.js
@@ -122,7 +122,7 @@ function renameDashboard() {
 }
 
 function removeDashboard() {
-    $('#removeDashboardConfirm').find('h2 span').html($('#dashboardWidgetsArea').dashboard('getDashboardName'));
+    $('#removeDashboardConfirm').find('h2 span').text($('#dashboardWidgetsArea').dashboard('getDashboardName'));
     piwikHelper.modalConfirm('#removeDashboardConfirm', {yes: function () { $('#dashboardWidgetsArea').dashboard('removeDashboard'); }});
 }
 
@@ -159,12 +159,12 @@ function copyDashboardToUser() {
         function (availableUsers) {
             $('#copyDashboardUser').empty();
             $('#copyDashboardUser').append(
-                $('<option></option>').val(piwik.userLogin).html(piwik.userLogin)
+                $('<option></option>').val(piwik.userLogin).text(piwik.userLogin)
             );
             $.each(availableUsers, function (index, user) {
                 if (user.login != 'anonymous' && user.login != piwik.userLogin) {
                     $('#copyDashboardUser').append(
-                        $('<option></option>').val(user.login).html(user.login + ' (' + user.alias + ')')
+                        $('<option></option>').val(user.login).text(user.login + ' (' + user.alias + ')')
                     );
                 }
             });
author	Benaka Moorthi <benaka.moorthi@gmail.com>	2013-06-19 10:40:05 +0400
committer	Benaka Moorthi <benaka.moorthi@gmail.com>	2013-06-19 10:40:05 +0400
commit	e8ec08565cf6975c57323fa3eb2535b664f6b8b7 (patch)
tree	687f35ab83502159b1bbdd8a96cdaa28cf8fa78e /plugins
parent	f9af4b22914721e71f9f430ffa00be8a2d156158 (diff)