Commit de3c7396 authored by IKEDA Soji's avatar IKEDA Soji
Browse files

[bug] Template strings passed to javascript were not escaped.

Fixed by escaping them with escape_cstr filter.
parent 441761e5
...@@ -10,19 +10,19 @@ ...@@ -10,19 +10,19 @@
<!-- <!--
[%# A few configuration settings and miscellaneous vars. ~%] [%# A few configuration settings and miscellaneous vars. ~%]
var sympa = { var sympa = {
backText: "[%|loc%]Back[%END%]", backText: '[%"Back"|loc|escape_cstr%]',
calendarButtonText: "[%|loc%]Calendar[%END%]", calendarButtonText: '[%"Calendar"|loc|escape_cstr%]',
calendarFirstDay: 0, calendarFirstDay: 0,
closeText: "[%|loc%]Close[%END%]", closeText: '[%"Close"|loc|escape_cstr%]',
dayNames: "[%|loc%]Sunday:Monday:Tuesday:Wednesday:Thursday:Friday:Saturday[%END%]".split(":"), dayNames: '[%"Sunday:Monday:Tuesday:Wednesday:Thursday:Friday:Saturday"|loc|escape_cstr%]'.split(":"),
dayNamesMin: "[%|loc%]Su:Mo:Tu:We:Th:Fr:Sa[%END%]".split(":"), dayNamesMin: '[%"Su:Mo:Tu:We:Th:Fr:Sa"|loc|escape_cstr%]'.split(":"),
home_url: '[% path_cgi %]/', home_url: '[% path_cgi | escape_cstr %]/',
icons_url: '[% icons_url %]', icons_url: '[% icons_url | escape_cstr %]',
lang: '[% lang %]', lang: '[% lang | escape_cstr %]',
loadingText: "[%|loc%]Please Wait...[%END%]", loadingText: '[%"Please Wait..."|loc|escape_cstr%]',
monthNamesShort: "[%|loc%]Jan:Feb:Mar:Apr:May:Jun:Jul:Aug:Sep:Oct:Nov:Dec[%END%]".split(":"), monthNamesShort: '[%"Jan:Feb:Mar:Apr:May:Jun:Jul:Aug:Sep:Oct:Nov:Dec"|loc|escape_cstr%]'.split(":"),
openInNewWinText: "[%|loc%]Open in a new window[%END%]", openInNewWinText: '[%"Open in a new window"|loc|escape_cstr%]',
resetText: "[%|loc%]Reset[%END%]" resetText: '[%"Reset"|loc|escape_cstr%]'
}; };
[%# Variable for backward compatibility. ~%] [%# Variable for backward compatibility. ~%]
var lang = '[% lang %]'; var lang = '[% lang %]';
......
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
<!-- <!--
var line = [% o.stats_values %]; var line = [% o.stats_values %];
$.jqplot('[% chartid %]', [line], { $.jqplot('[% chartid %]', [line], {
title: '[% o.title.replace('([\\\\\'])', '\\\\$1') %]', title: '[% o.title | escape_cstr %]',
axesDefaults: { axesDefaults: {
min: 0, min: 0,
tickRenderer: $.jqplot.CanvasAxisTickRenderer, tickRenderer: $.jqplot.CanvasAxisTickRenderer,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment