From ff1979e12e0b012374e2ab3712b19f87e1a92e64 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Tue, 1 Sep 2009 01:12:02 -0700
Subject: Fix XSS in tags JS

---
 modules/tag/js/tag.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'modules/tag/js')

diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js
index 61ac73f4..aaae9e72 100644
--- a/modules/tag/js/tag.js
+++ b/modules/tag/js/tag.js
@@ -27,18 +27,24 @@ function closeEditInPlaceForms() {
   }
 }
 
+function str_replace(search_term, replacement, string) {
+  var temp = string.split(search_term);
+  return temp.join(replacement);
+}
+
 function editInPlace(element) {
   closeEditInPlaceForms();
 
   // create edit form
   var tag_id = $(this).attr('id').substr(5);
-  var tag_name = $(this).text();
+  var tag_name = $(this).html();
   var tag_width = $(this).width();
   $(this).parent().data("revert", $(this).parent().html());
   var form = '<form id="gRenameTagForm" method="post" class="ui-helper-clearfix" ';
   form += 'action="' + TAG_RENAME_URL.replace('__ID__', tag_id) + '">';
   form += '<input name="csrf" type="hidden" value="' + csrf_token + '" />';
-  form += '<input id="name" name="name" type="text" class="textbox" value="' + tag_name + '" />';
+  form += '<input id="name" name="name" type="text" class="textbox" value="' +
+          str_replace('"', "&quot;", tag_name) + '" />';
   form += '<input type="submit" class="submit ui-state-default ui-corner-all" value="' + save_i18n + '" i/>';
   form += '<a href="#">' + cancel_i18n + '</a>';
   form += '</form>';
-- 
cgit v1.2.3