escape quiz titles in ember show page

fixes CNVS-13699 this commit escapes any HTML present in a quiz's title when it's rendered in the breadcrumbs. Test plan - As a teacher, create a quiz in the new Ember show design, with HTML in the title (e.g., "Unnamed Quiz <script>alert('Oh noes!');</script>") - The HTML should be escaped in the breadcrumbs, and any script tags shouldn't execute. - The same should apply when editing quizzes. Change-Id: Ifc67063d053995b3f20d14b029fae2460f7de382 Reviewed-on: https://gerrit.instructure.com/36784 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Derek DeVries <ddevries@instructure.com> QA-Review: Caleb Guanzon <cguanzon@instructure.com> Product-Review: Josh Simpson <jsimpson@instructure.com>
2014-06-24 09:40:57 -06:00 · 2014-06-24 09:40:57 -06:00 · ba19c18a63
parent f467416003
commit ba19c18a63
1 changed files with 2 additions and 1 deletions
--- a/app/coffeescripts/ember/quizzes/views/quiz_view.coffee
+++ b/app/coffeescripts/ember/quizzes/views/quiz_view.coffee
@ -10,9 +10,10 @@ define [

    addBreadCrumb: (->
      quizUrl = @controller.get('htmlURL')
+      escapedTitle = $("<div />").text(@controller.get("title")).html()
      breadcrumb = $(
        "<li><a href=\"#{quizUrl}\"><span class=\"ellipsible\">" +
-          @controller.get("title") +
+          escapedTitle +
        "</span></a></li>")
      $("#breadcrumbs ul").append(breadcrumb)
    ).on('didInsertElement')