Merge remote-tracking branch 'dev/master' into 'master'

author: Robert Speicher <rspeicher@gmail.com> 2016-04-19 23:10:39 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2016-04-19 23:10:39 +0300
commit: c3cc3320805af4f86a1304ace787ec56102e2204 (patch)
tree: 0d8fcc07772b9ae557e6fa2e05ab916a8b399b1f
parent: 7543bc17764079ff04625c3c1d610cd0ddf58fc1 (diff)
parent: 33a483e702c770bc93033fdf3f6e24a760140ac0 (diff)
2 files changed, 7 insertions, 7 deletions
diff --git a/app/assets/javascripts/labels_select.js.coffee b/app/assets/javascripts/labels_select.js.coffee
index bc80980acb7..1131492b7ae 100644
--- a/app/assets/javascripts/labels_select.js.coffee
+++ b/app/assets/javascripts/labels_select.js.coffee
@@ -33,13 +33,13 @@ class @LabelsSelect
       if issueUpdateURL
         labelHTMLTemplate = _.template(
             '<% _.each(labels, function(label){ %>
-            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name=<%= label.title %>">
-            <span class="label has-tooltip color-label" title="<%= label.description %>" style="background-color: <%= label.color %>;">
-            <%= label.title %>
+            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name=<%= _.escape(label.title) %>">
+            <span class="label has-tooltip color-label" title="<%= _.escape(label.description) %>" style="background-color: <%= label.color %>;">
+            <%= _.escape(label.title) %>
             </span>
             </a>
             <% }); %>'
-        );
+        )
         labelNoneHTMLTemplate = _.template('<div class="light">None</div>')
 
       if newLabelField.length and $dropdown.hasClass 'js-extra-options'
@@ -211,7 +211,7 @@ class @LabelsSelect
           "<li>
             <a href='#' class='#{selectedClass}'>
               #{color}
-              #{label.title}
+              #{_.escape(label.title)}
             </a>
           </li>"
         filterable: true
diff --git a/app/assets/javascripts/milestone_select.js.coffee b/app/assets/javascripts/milestone_select.js.coffee
index 6bd4e885a03..04fd5cf37bd 100644
--- a/app/assets/javascripts/milestone_select.js.coffee
+++ b/app/assets/javascripts/milestone_select.js.coffee
@@ -24,7 +24,7 @@ class @MilestoneSelect
 
       if issueUpdateURL
         milestoneLinkTemplate = _.template(
-          '<a href="/<%= namespace %>/<%= path %>/milestones/<%= iid %>"><%= title %></a>'
+          '<a href="/<%= namespace %>/<%= path %>/milestones/<%= iid %>"><%= _.escape(title) %></a>'
         )
 
         milestoneLinkNoneTemplate = '<div class="light">None</div>'
@@ -71,7 +71,7 @@ class @MilestoneSelect
             defaultLabel
         fieldName: $dropdown.data('field-name')
         text: (milestone) ->
-          milestone.title
+          _.escape(milestone.title)
         id: (milestone) ->
           if !useId
             milestone.name
author	Robert Speicher <rspeicher@gmail.com>	2016-04-19 23:10:39 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2016-04-19 23:10:39 +0300
commit	c3cc3320805af4f86a1304ace787ec56102e2204 (patch)
tree	0d8fcc07772b9ae557e6fa2e05ab916a8b399b1f
parent	7543bc17764079ff04625c3c1d610cd0ddf58fc1 (diff)
parent	33a483e702c770bc93033fdf3f6e24a760140ac0 (diff)