From 6193bb896b21537930a72f1f6df93d9d451c19e7 Mon Sep 17 00:00:00 2001
From: Rohan Mitchell <rohan@rohanmitchell.com>
Date: Wed, 24 Feb 2016 11:08:51 +1100
Subject: [PATCH] Sanitize input for ofnTaxonAutocomplete and userSelect
 directives

---
 .../admin/taxons/directives/taxon_autocomplete.js.coffee     | 4 ++--
 app/assets/javascripts/admin/taxons/taxons.js.coffee         | 2 +-
 .../javascripts/admin/users/directives/user_select.js.coffee | 5 +++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee b/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee
index b978a050ad..b1eac64569 100644
--- a/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee
+++ b/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee
@@ -1,4 +1,4 @@
-angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons) ->
+angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons, $sanitize) ->
   # Adapted from Spree's existing taxon autocompletion
   scope: true
   link: (scope,element,attrs) ->
@@ -18,7 +18,7 @@ angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons) ->
         query: (query) ->
           query.callback { results: Taxons.findByTerm(query.term) }
         formatResult: (taxon) ->
-          taxon.name
+          $sanitize(taxon.name)
         formatSelection: (taxon) ->
           taxon.name
 
diff --git a/app/assets/javascripts/admin/taxons/taxons.js.coffee b/app/assets/javascripts/admin/taxons/taxons.js.coffee
index 863e6e8125..07de167ccf 100644
--- a/app/assets/javascripts/admin/taxons/taxons.js.coffee
+++ b/app/assets/javascripts/admin/taxons/taxons.js.coffee
@@ -1 +1 @@
-angular.module("admin.taxons", [])
\ No newline at end of file
+angular.module("admin.taxons", ['ngSanitize'])
\ No newline at end of file
diff --git a/app/assets/javascripts/admin/users/directives/user_select.js.coffee b/app/assets/javascripts/admin/users/directives/user_select.js.coffee
index bde54fd6d0..787ef2124b 100644
--- a/app/assets/javascripts/admin/users/directives/user_select.js.coffee
+++ b/app/assets/javascripts/admin/users/directives/user_select.js.coffee
@@ -1,4 +1,4 @@
-angular.module("admin.users").directive "userSelect", ->
+angular.module("admin.users").directive "userSelect", ($sanitize) ->
   scope:
     user: '&userSelect'
     model: '=ngModel'
@@ -11,9 +11,10 @@ angular.module("admin.users").directive "userSelect", ->
         ajax:
           url: '/admin/search/known_users'
           datatype: 'json'
-          data:(term, page) ->
+          data: (term, page) ->
             { q: term }
           results: (data, page) ->
+            item.email = $sanitize(item.email) for item in data
             { results: data }
         formatResult: (user) ->
           user.email