Excape HTML (where needed, for bootbox) (references #996)

public/js/extensions.js

@@ -172,10 +172,12 @@ function animateCSS(selector, animationName, callback, speed = "faster")
 
 	nodes.on('animationend', handleAnimationEnd);
 }
+
 function RandomString()
 {
 	return Math.random().toString(36).substring(2, 100) + Math.random().toString(36).substring(2, 100);
 }
+
 function getQRCodeForContent(url)
 {
 	var qr = qrcode(0, 'L');
@@ -183,6 +185,7 @@ function getQRCodeForContent(url)
 	qr.make();
 	return qr.createImgTag(10, 5);
 }
+
 function getQRCodeForAPIKey(apikey_type, apikey_key)
 {
 	var content = U('/api') + '|' + apikey_key;
@@ -192,3 +195,8 @@ function getQRCodeForAPIKey(apikey_type, apikey_key)
 	}
 	return getQRCodeForContent(content);
 }
+
+function SanitizeHtml(input)
+{
+	return $("<div/>").text(input).html();
+}

public/viewjs/batteries.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.battery-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-battery-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-battery-name'));
 	var objectId = $(e.currentTarget).attr('data-battery-id');
 
 	bootbox.confirm({

public/viewjs/chores.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.chore-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-chore-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-chore-name'));
 	var objectId = $(e.currentTarget).attr('data-chore-id');
 
 	bootbox.confirm({

public/viewjs/components/productpicker.js

@@ -162,7 +162,7 @@ $('#product_id_text_input').on('blur', function(e)
 
 			Grocy.Components.ProductPicker.PopupOpen = true;
 			bootbox.dialog({
-				message: __t('"%s" could not be resolved to a product, how do you want to proceed?', input),
+				message: __t('"%s" could not be resolved to a product, how do you want to proceed?', SanitizeHtml(input)),
 				title: __t('Create or assign product'),
 				onEscape: function()
 				{

public/viewjs/equipment.js

@@ -68,7 +68,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.equipment-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-equipment-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-equipment-name'));
 	var objectId = $(e.currentTarget).attr('data-equipment-id');
 
 	bootbox.confirm({

public/viewjs/locations.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.location-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-location-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-location-name'));
 	var objectId = $(e.currentTarget).attr('data-location-id');
 
 	bootbox.confirm({

public/viewjs/mealplan.js

@@ -563,7 +563,7 @@ $(document).on('click', '.recipe-order-missing-button', function(e)
 	// to prevent that the tooltip stays until clicked anywhere else
 	document.activeElement.blur();
 
-	var objectName = $(e.currentTarget).attr('data-recipe-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name'));
 	var objectId = $(e.currentTarget).attr('data-recipe-id');
 	var button = $(this);
 	var servings = $(e.currentTarget).attr('data-mealplan-servings');
@@ -667,7 +667,7 @@ $(document).on('click', '.recipe-consume-button', function(e)
 	// to prevent that the tooltip stays until clicked anywhere else
 	document.activeElement.blur();
 
-	var objectName = $(e.currentTarget).attr('data-recipe-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name'));
 	var objectId = $(e.currentTarget).attr('data-recipe-id');
 	var servings = $(e.currentTarget).attr('data-mealplan-servings');
 

public/viewjs/productgroups.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.product-group-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-group-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-group-name'));
 	var objectId = $(e.currentTarget).attr('data-group-id');
 
 	bootbox.confirm({

public/viewjs/products.js

@@ -38,7 +38,7 @@ if (typeof GetUriParam("product-group") !== "undefined")
 
 $(document).on('click', '.product-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-product-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-product-name'));
 	var objectId = $(e.currentTarget).attr('data-product-id');
 
 	Grocy.Api.Get('stock/products/' + objectId,

public/viewjs/quantityunits.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.quantityunit-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-quantityunit-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-quantityunit-name'));
 	var objectId = $(e.currentTarget).attr('data-quantityunit-id');
 
 	bootbox.confirm({

public/viewjs/recipeform.js

@@ -126,7 +126,7 @@ $('#recipe-form input').keydown(function(event)
 
 $(document).on('click', '.recipe-pos-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-recipe-pos-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-pos-name'));
 	var objectId = $(e.currentTarget).attr('data-recipe-pos-id');
 
 	bootbox.confirm({
@@ -163,7 +163,7 @@ $(document).on('click', '.recipe-pos-delete-button', function(e)
 
 $(document).on('click', '.recipe-include-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-recipe-include-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-include-name'));
 	var objectId = $(e.currentTarget).attr('data-recipe-include-id');
 
 	bootbox.confirm({
@@ -200,7 +200,7 @@ $(document).on('click', '.recipe-include-delete-button', function(e)
 
 $(document).on('click', '.recipe-pos-show-note-button', function(e)
 {
-	var note = $(e.currentTarget).attr('data-recipe-pos-note');
+	var note = SanitizeHtml($(e.currentTarget).attr('data-recipe-pos-note'));
 
 	bootbox.alert(note);
 });

public/viewjs/recipes.js

@@ -81,7 +81,7 @@ $(".recipe-delete").on('click', function(e)
 {
 	e.preventDefault();
 
-	var objectName = $(e.currentTarget).attr('data-recipe-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name'));
 	var objectId = $(e.currentTarget).attr('data-recipe-id');
 
 	bootbox.confirm({
@@ -118,7 +118,7 @@ $(".recipe-delete").on('click', function(e)
 
 $(document).on('click', '.recipe-shopping-list', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-recipe-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name'));
 	var objectId = $(e.currentTarget).attr('data-recipe-id');
 
 	bootbox.confirm({
@@ -164,7 +164,7 @@ $(document).on('click', '.recipe-shopping-list', function(e)
 
 $(".recipe-consume").on('click', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-recipe-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name'));
 	var objectId = $(e.currentTarget).attr('data-recipe-id');
 
 	bootbox.confirm({

public/viewjs/shoppinglist.js

@@ -77,7 +77,7 @@ $(".status-filter-message").on("click", function()
 
 $("#delete-selected-shopping-list").on("click", function()
 {
-	var objectName = $("#selected-shopping-list option:selected").text();
+	var objectName = SanitizeHtml($("#selected-shopping-list option:selected").text());
 	var objectId = $("#selected-shopping-list").val();
 
 	bootbox.confirm({
@@ -158,7 +158,7 @@ $(document).on('click', '#add-products-below-min-stock-amount', function(e)
 $(document).on('click', '#clear-shopping-list', function(e)
 {
 	bootbox.confirm({
-		message: __t('Are you sure to empty shopping list "%s"?', $("#selected-shopping-list option:selected").text()),
+		message: __t('Are you sure to empty shopping list "%s"?', SanitizeHtml($("#selected-shopping-list option:selected").text())),
 		closeButton: false,
 		buttons: {
 			confirm: {

public/viewjs/shoppinglocations.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.shoppinglocation-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-shoppinglocation-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-shoppinglocation-name'));
 	var objectId = $(e.currentTarget).attr('data-shoppinglocation-id');
 
 	bootbox.confirm({

public/viewjs/taskcategories.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.task-category-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-category-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-category-name'));
 	var objectId = $(e.currentTarget).attr('data-category-id');
 
 	bootbox.confirm({

public/viewjs/tasks.js

@@ -119,7 +119,7 @@ $(document).on('click', '.delete-task-button', function(e)
 {
 	e.preventDefault();
 
-	var objectName = $(e.currentTarget).attr('data-task-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-task-name'));
 	var objectId = $(e.currentTarget).attr('data-task-id');
 
 	bootbox.confirm({

public/viewjs/userentities.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.userentity-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-userentity-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-userentity-name'));
 	var objectId = $(e.currentTarget).attr('data-userentity-id');
 
 	bootbox.confirm({

public/viewjs/userfields.js

@@ -33,7 +33,7 @@ $("#entity-filter").on("change", function()
 
 $(document).on('click', '.userfield-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-userfield-name');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-userfield-name'));
 	var objectId = $(e.currentTarget).attr('data-userfield-id');
 
 	bootbox.confirm({

public/viewjs/users.js

@@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function()
 
 $(document).on('click', '.user-delete-button', function(e)
 {
-	var objectName = $(e.currentTarget).attr('data-user-username');
+	var objectName = SanitizeHtml($(e.currentTarget).attr('data-user-username'));
 	var objectId = $(e.currentTarget).attr('data-user-id');
 
 	bootbox.confirm({