Sanitize input for ofnTaxonAutocomplete and userSelect directives

2026-01-24 20:36:49 +00:00 · 2016-02-24 11:08:51 +11:00
parent 4314bfb99c
commit 6193bb896b
3 changed files with 6 additions and 5 deletions
--- a/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee
+++ b/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee
@@ -1,4 +1,4 @@
-angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons) ->
+angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons, $sanitize) ->
  # Adapted from Spree's existing taxon autocompletion
  scope: true
  link: (scope,element,attrs) ->
@@ -18,7 +18,7 @@ angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons) ->
        query: (query) ->
          query.callback { results: Taxons.findByTerm(query.term) }
        formatResult: (taxon) ->
-          taxon.name
+          $sanitize(taxon.name)
        formatSelection: (taxon) ->
          taxon.name

--- a/app/assets/javascripts/admin/taxons/taxons.js.coffee
+++ b/app/assets/javascripts/admin/taxons/taxons.js.coffee
@@ -1 +1 @@
-angular.module("admin.taxons", [])
+angular.module("admin.taxons", ['ngSanitize'])
--- a/app/assets/javascripts/admin/users/directives/user_select.js.coffee
+++ b/app/assets/javascripts/admin/users/directives/user_select.js.coffee
@@ -1,4 +1,4 @@
-angular.module("admin.users").directive "userSelect", ->
+angular.module("admin.users").directive "userSelect", ($sanitize) ->
  scope:
    user: '&userSelect'
    model: '=ngModel'
@@ -11,9 +11,10 @@ angular.module("admin.users").directive "userSelect", ->
        ajax:
          url: '/admin/search/known_users'
          datatype: 'json'
-          data:(term, page) ->
+          data: (term, page) ->
            { q: term }
          results: (data, page) ->
+            item.email = $sanitize(item.email) for item in data
            { results: data }
        formatResult: (user) ->
          user.email