projects / dygraphs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: e88a95b)
fix XSS in labels
authorAkiyah <akiya.mizukoshi@gmail.com>
Sat, 4 Jan 2014 17:07:25 +0000 (02:07 +0900)
committerAkiyah <akiya.mizukoshi@gmail.com>
Sat, 4 Jan 2014 17:07:25 +0000 (02:07 +0900)
plugins/legend.js patch | blob | blame | history

diff --git a/plugins/legend.js b/plugins/legend.js
index 66408b6..f4eb665 100644 (file)
--- a/plugins/legend.js
+++ b/plugins/legend.js
@@ -120,6 +120,10 @@ var calculateEmWidthInDiv = function(div) {
   return oneEmWidth;
 };
 
   return oneEmWidth;
 };
 
+var escapeHTML = function(str) {
+  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+
 legend.prototype.select = function(e) {
   var xValue = e.selectedX;
   var points = e.selectedPoints;
 legend.prototype.select = function(e) {
   var xValue = e.selectedX;
   var points = e.selectedPoints;
@@ -208,7 +212,7 @@ generateLegendHTML = function(g, x, sel_points, oneEmWidth) {
       strokePattern = g.getOption("strokePattern", labels[i]);
       dash = generateLegendDashHTML(strokePattern, series.color, oneEmWidth);
       html += "<span style='font-weight: bold; color: " + series.color + ";'>" +
       strokePattern = g.getOption("strokePattern", labels[i]);
       dash = generateLegendDashHTML(strokePattern, series.color, oneEmWidth);
       html += "<span style='font-weight: bold; color: " + series.color + ";'>" +
-          dash + " " + labels[i] + "</span>";
+          dash + " " + escapeHTML(labels[i]) + "</span>";
     }
     return html;
   }
     }
     return html;
   }
@@ -245,7 +249,7 @@ generateLegendHTML = function(g, x, sel_points, oneEmWidth) {
 
     // TODO(danvk): use a template string here and make it an attribute.
     html += "<span" + cls + ">" + " <b><span style='color: " + series.color + ";'>" +
 
     // TODO(danvk): use a template string here and make it an attribute.
     html += "<span" + cls + ">" + " <b><span style='color: " + series.color + ";'>" +
-        pt.name + "</span></b>:&nbsp;" + yval + "</span>";
+        escapeHTML(pt.name) + "</span></b>:&nbsp;" + yval + "</span>";
   }
   return html;
 };
   }
   return html;
 };
danvk/dygraphs fork supporting touch events