diff --git a/app/templates/packages/create_edit.html b/app/templates/packages/create_edit.html index 666d4cd..8191a17 100644 --- a/app/templates/packages/create_edit.html +++ b/app/templates/packages/create_edit.html @@ -22,14 +22,22 @@ {% endfor %} ] + function escape(unsafe) { + return unsafe + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); + } + all_packages = meta_packages.slice(); {% for p in packages %} - {# This is safe as name can only contain `[a-z0-9_]` #} all_packages.push({ id: "{{ p.author.username }}/{{ p.name }}", - value: {{ p.title | tojson }} + " by " + {{ p.author.display_name | tojson }}, - toString: function() { return {{ p.title | tojson }} + " by " + {{ p.author.display_name | tojson }} + " only"; }, + value: escape({{ p.title | tojson }} + " by " + {{ p.author.display_name | tojson }}), + toString: function() { return escape({{ p.title | tojson }} + " by " + {{ p.author.display_name | tojson }} + " only"); }, }); {% endfor %}