diff --git a/app/models/account.rb b/app/models/account.rb index 3649a09d374..17bb1caec03 100644 --- a/app/models/account.rb +++ b/app/models/account.rb @@ -186,7 +186,7 @@ class Account < ActiveRecord::Base end def sub_accounts_as_options(indent=0) - res = [[("  " * indent) + self.name, self.id]] + res = [[("  " * indent).html_safe + self.name, self.id]] self.sub_accounts.each do |account| res += account.sub_accounts_as_options(indent + 1) end diff --git a/app/views/accounts/show.html.erb b/app/views/accounts/show.html.erb index 1343e5b291c..7920000164b 100644 --- a/app/views/accounts/show.html.erb +++ b/app/views/accounts/show.html.erb @@ -78,9 +78,6 @@ $(document).ready(function() { // get rid of this lookup part and it will use ajax queries to that serviceUrl above. I just figured this would be faster // and since we dont have that many users per institution we can afford to send it in a pageload. } - $("#course_account_id option").each(function() { - $(this).html($(this).text()); - }); }); <% end %> diff --git a/app/views/accounts/statistics_page_views.html.erb b/app/views/accounts/statistics_page_views.html.erb index 23e77bb3d51..401539e7e53 100644 --- a/app/views/accounts/statistics_page_views.html.erb +++ b/app/views/accounts/statistics_page_views.html.erb @@ -56,10 +56,10 @@ r.g.axis(40, 230, 220, 0, 100, 5, 1, [' ', '20%', '40%', '60%', '80%', '100%'], '|'); r.g.axis(40, 230, 500, 0, 23, 24, 0, ['12am','1am','2am','3am','4am','5am','6am','7am','8am','9am','10am','11am','12pm','1pm','2pm','3pm','4pm','5pm','6pm','7pm','8pm','9pm','10pm','11pm', '12am'], '+'); } else { - $("#hourly_usage").html("No data found for report"); + $("#hourly_usage").text("No data found for report"); } } catch(e) { - $("#hourly_usage").html("Error building usage report: " + e.toString()); + $("#hourly_usage").text("Error building usage report: " + e.toString()); } var pageViewData = <%= raw @account.page_view_data(@start_at, @end_at).to_json %>; diff --git a/app/views/content_imports/migrate_content_choose.html.erb b/app/views/content_imports/migrate_content_choose.html.erb index 557fe96a639..d36b3c59451 100644 --- a/app/views/content_imports/migrate_content_choose.html.erb +++ b/app/views/content_imports/migrate_content_choose.html.erb @@ -499,7 +499,7 @@ $(document).ready(function() { var code = "ContentMigration:" + $(".content_migration_id:first").text() + ":" + course_import.progress; var message = "There was an error during your migration import. Please notify your system administrator and give them the following code: \"" + code + "\""; $.flashError(message); - $(".progress_message").html(message); //after("
" + message + "
") + $(".progress_message").text(message); } else { if(progress == lastProgress) { waitTime = Math.max(waitTime + 500, 30000); diff --git a/public/javascripts/assignments.js b/public/javascripts/assignments.js index 50b112edbc0..30bdd6e1cb8 100644 --- a/public/javascripts/assignments.js +++ b/public/javascripts/assignments.js @@ -546,9 +546,9 @@ if(rule_type == "drop_lowest") { rules += "Drop the Lowest " + value + " Scores
"; } else if(rule_type == "drop_highest") { - rules += "Drop the Highest " + value + " Scores
"; + rules += "Drop the Highest " + value + " Scores
"; } else if(rule_type == "never_drop") { - var title = $("#assignment_" + value).find(".title").text(); + var title = $("#assignment_" + value).find(".title").html(); rules += "Never Drop " + title + "
"; } } diff --git a/public/javascripts/calendar.js b/public/javascripts/calendar.js index 4019f26acb6..352445d37c9 100644 --- a/public/javascripts/calendar.js +++ b/public/javascripts/calendar.js @@ -594,8 +594,7 @@ if(event.start_time_string && event.start_time_string != event.end_time_string) { title_time += " to " + (event.end_time_formatted || ""); } - // event.title is html escaped, so we need to unescape it for the tooltip - var event_title = $("
").html(event.title).text(); + event_title = event.title; event_title += (title_time ? " - " + title_time : ""); if(data.assignment && title_time) { event_title = "due: " + event_title; diff --git a/public/javascripts/content_locks.js b/public/javascripts/content_locks.js index cc55e7887ee..a8638efa2fc 100644 --- a/public/javascripts/content_locks.js +++ b/public/javascripts/content_locks.js @@ -23,13 +23,13 @@ $(document).ready(function() { var data = $(this).data('lock_reason'); var type = data.type || "content"; var $reason = $("
"); - $reason.html("This " + type + " is locked. No other reason has been provided."); + $reason.text("This " + type + " is locked. No other reason has been provided."); if(data.lock_at) { - $reason.html("This " + type + " was locked " + $.parseFromISO(data.lock_at).datetime_formatted); + $reason.text("This " + type + " was locked " + $.parseFromISO(data.lock_at).datetime_formatted); } else if(data.unlock_at) { - $reason.html("This " + type + " is locked until " + $.parseFromISO(data.unlock_at).datetime_formatted); + $reason.text("This " + type + " is locked until " + $.parseFromISO(data.unlock_at).datetime_formatted); } else if(data.context_module) { - $reason.html("This " + type + " is part of the module " + data.context_module.name + " and hasn't been unlocked yet."); + $reason.html("This " + type + " is part of the module " + $.htmlEscape(data.context_module.name) + " and hasn't been unlocked yet."); if($("#context_modules_url").length > 0) { $reason.append("
"); var $link = $(""); diff --git a/public/javascripts/edit_rubric.js b/public/javascripts/edit_rubric.js index f1448348b00..83a7a5fb9cf 100644 --- a/public/javascripts/edit_rubric.js +++ b/public/javascripts/edit_rubric.js @@ -590,7 +590,7 @@ var rubricEditing = { var $name = $dialog.find(".outcomes_select.blank:first").clone(true).removeClass('blank'); outcome.title = outcome.short_description; var $text = $("
"); - $text.html(outcome.short_description); + $text.text(outcome.short_description); outcome.title = $.truncateText($.trim($text.text()), 35); outcome.display_name = outcome.cached_context_short_name || ""; $name.fillTemplateData({data: outcome}); diff --git a/public/javascripts/feedback.js b/public/javascripts/feedback.js index bc22a0380a1..8cf2cc747a2 100644 --- a/public/javascripts/feedback.js +++ b/public/javascripts/feedback.js @@ -57,7 +57,7 @@ $(document).ready(function() { $dialog.find(".feedback-course-select") .html(function(){ return $.map(courses, function(course){ - return ''; + return ''; }).join(''); }) .showIf(courses.length > 0); diff --git a/public/javascripts/full_files.js b/public/javascripts/full_files.js index 0bec3cee732..77f67155d73 100644 --- a/public/javascripts/full_files.js +++ b/public/javascripts/full_files.js @@ -441,7 +441,7 @@ var files = {}; $(ui.helper).find(".header .sub_header").text("move to " + droppable.name); if(draggable && droppable && draggable.context_string != droppable.context_string) { $(ui.helper).addClass('copy_drag'); - $(ui.helper).find(".header .sub_header").html("copy to " + droppable.name); + $(ui.helper).find(".header .sub_header").html("copy to " + $.htmlEscape(droppable.name)); } }, out: function(event, ui) { @@ -524,7 +524,7 @@ var files = {}; if(!$context_folder || $context_folder.length === 0) { $context_folder = $files_structure.find(".folder_blank").clone(true).removeClass('folder_blank'); } - $context_folder.children(".name").html(context_name); + $context_folder.children(".name").text(context_name); $context_folder.children(".id").text(root_folder.id); $context_folder.addClass('context folder folder_' + root_folder.id + ' ' + context_string); $context_folder.find("li").addClass('to_be_removed'); diff --git a/public/javascripts/instructure_helper.js b/public/javascripts/instructure_helper.js index 7a00e7af724..eab467b87e3 100644 --- a/public/javascripts/instructure_helper.js +++ b/public/javascripts/instructure_helper.js @@ -720,7 +720,9 @@ } return r; } - + $.htmlEscape = function(str) { + return $('
').text(str).html(); + } // Fills the selected object(s) with data values as specified. Plaintext values should be specified in the // data: data used to fill template. @@ -771,8 +773,8 @@ $found.val(options.data[item]); } else { try { - var str = options.data[item].toString().replace(/\&/g, "&").replace(/\"/g, """).replace(/\/g, ">"); - $found.html(str); + var str = options.data[item].toString(); + $found.html($.htmlEscape(str)); } catch(e) { } } } @@ -811,6 +813,7 @@ } return this; }; + $.fn.fillTemplateData.defaults = {htmlValues: null, hrefValues: null}; // Reverse version of fillTemplateData. Lets you pull out the string versions of values held in divs, spans, etc. // Based on the usage of class names within an object to specify an object's sub-parts. diff --git a/public/javascripts/sis_import.js b/public/javascripts/sis_import.js index a5b1fc23387..188884d1a00 100644 --- a/public/javascripts/sis_import.js +++ b/public/javascripts/sis_import.js @@ -32,7 +32,7 @@ $(document).ready(function(event) { output += "
  • Errors that prevent importing\n
      "; for(var i in batch.processing_errors) { var message = batch.processing_errors[i]; - output += "
    • " + message[0] + " - " + message[1] + "
      • "; + output += "
    • " + $.htmlEscape(message[0]) + " - " + $.htmlEscape(message[1]) + "
      • "; } output += "
    \n
    • "; } @@ -40,7 +40,7 @@ $(document).ready(function(event) { output += "
  • Warnings\n
      "; for(var i in batch.processing_warnings) { var message = batch.processing_warnings[i]; - output += "
    • " + message[0] + " - " + message[1] + "
      • "; + output += "
    • " + $.htmlEscape(message[0]) + " - " + $.htmlEscape(message[1]) + "
      • "; } output += "
    \n
    • "; } @@ -162,7 +162,7 @@ $(document).ready(function(event) { startPoll(); } else { //show error message - $(".sis_messages .error_message").html(data.error_message); + $(".sis_messages .error_message").text(data.error_message); $(".sis_messages").show(); if(data.batch_in_progress){ startPoll(); diff --git a/public/javascripts/wiki_sidebar.js b/public/javascripts/wiki_sidebar.js index f6afbcb8b29..19760cbe341 100644 --- a/public/javascripts/wiki_sidebar.js +++ b/public/javascripts/wiki_sidebar.js @@ -164,6 +164,7 @@ if(name.length + level + 1 > 38) { name = name.substring(0, 35) + "..."; } + name = $.htmlEscape(name); for(var idx = 0; idx < level; idx++) { name = "  " + name; }