Properly escape the name

19611898 · Robert Raposa · Eric Fischer · 86913938 · 19611898
Commit 19611898 authored 9 years ago by Robert Raposa Committed by Eric Fischer 9 years ago
--- a/lms/templates/instructor/instructor_dashboard_2/metrics.html
+++ b/lms/templates/instructor/instructor_dashboard_2/metrics.html
@@ -91,7 +91,7 @@ from django.template.defaultfilters import escapejs
            $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);

            $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + '</td></tr>';
              $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
            });
            // If student list too long, append message to screen.
@@ -131,7 +131,7 @@ from django.template.defaultfilters import escapejs
            $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);

            $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + "</td><td>" + value['grade'] + "</td><td>" + value['percent'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + "</td><td>" + _.escape(value['grade']) + "</td><td>" + _.escape(value['percent']) + '</td></tr>';
              $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
            });
            // If student list too long, append message to screen.