Project

General

Profile

0001-fixes-5471-html-escape-auto-completer-values.patch

v1 patch - Dominic Cleal, 05/07/2014 11:05 AM

View differences:

app/controllers/concerns/foreman/controller/auto_complete_search.rb
6 6
      model = controller_name == "hosts" ? Host::Managed : model_of_controller
7 7
      @items = model.complete_for(params[:search])
8 8
      @items = @items.map do |item|
9
        category = (['and','or','not','has'].include?(item.to_s.sub(/^.*\s+/,''))) ? 'Operators' : ''
9
        category = (['and','or','not','has'].include?(item.to_s.sub(/^.*\s+/,''))) ? _('Operators') : ''
10 10
        part = item.to_s.sub(/^.*\b(and|or)\b/i) {|match| match.sub(/^.*\s+/,'')}
11 11
        completed = item.to_s.chomp(part)
12
        {:completed => completed, :part => part, :label => item, :category => category}
12
        {:completed => CGI::escapeHTML(completed), :part => CGI::escapeHTML(part), :label => item, :category => category}
13 13
      end
14 14
    rescue ScopedSearch::QueryNotSupported => e
15 15
      @items = [{:error =>e.to_s}]
16
-