From 2180e31d13cb3c0238a8cce00ae14877f0eb0d24 Mon Sep 17 00:00:00 2001
From: Naoki Takezoe <takezoe@gmail.com>
Date: Sat, 13 Jan 2018 16:48:21 +0900
Subject: [PATCH] Escape in JavaScript

---
 .../gitbucket/core/service/RepositoryService.scala   |  4 ----
 .../twirl/gitbucket/core/releases/form.scala.html    |  4 ++--
 src/main/webapp/assets/common/js/gitbucket.js        | 12 ++++++------
 3 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/src/main/scala/gitbucket/core/service/RepositoryService.scala b/src/main/scala/gitbucket/core/service/RepositoryService.scala
index 20448c8ab..599762932 100644
--- a/src/main/scala/gitbucket/core/service/RepositoryService.scala
+++ b/src/main/scala/gitbucket/core/service/RepositoryService.scala
@@ -537,10 +537,6 @@ object RepositoryService {
 
       (id, path.substring(id.length).stripPrefix("/"))
     }
-
-//    def getReleaseByTag(tag: String)(implicit s: Session): Option[Release] = {
-//      Releases filter (_.byTag(owner, name, tag)) firstOption
-//    }
   }
 
   def httpUrl(owner: String, name: String)(implicit context: Context): String = s"${context.baseUrl}/git/${owner}/${name}.git"
diff --git a/src/main/twirl/gitbucket/core/releases/form.scala.html b/src/main/twirl/gitbucket/core/releases/form.scala.html
index 7dacfabd1..1e0989160 100644
--- a/src/main/twirl/gitbucket/core/releases/form.scala.html
+++ b/src/main/twirl/gitbucket/core/releases/form.scala.html
@@ -75,9 +75,9 @@ $(function(){
     success: function(file, id) {
       var attach =
         '<li><a href="@context.baseUrl/@repository.owner/@repository.name/_release/@helpers.encodeRefName(tag)/' + id + '">' +
-        '<i class="octicon octicon-file"></i>' + file.name + '</a>' +
+        '<i class="octicon octicon-file"></i>' + escapeHtml(file.name) + '</a>' +
         '<a href="#" class="remove pull-right" style="padding-top: 0px;">(remove)</a>' +
-        '<input type="hidden" name="file:' + id + '" value="' + file.name + '"/>' + // TODO escape file.name
+        '<input type="hidden" name="file:' + id + '" value="' + escapeHtml(file.name) + '"/>'
         '</li>';
       $('#assets-list').append(attach);
       $(file.previewElement).prevAll('div.dz-preview').addBack().remove();
diff --git a/src/main/webapp/assets/common/js/gitbucket.js b/src/main/webapp/assets/common/js/gitbucket.js
index db1682283..991b25423 100644
--- a/src/main/webapp/assets/common/js/gitbucket.js
+++ b/src/main/webapp/assets/common/js/gitbucket.js
@@ -351,12 +351,12 @@ function scrollIntoView(target){
   }
 }
 
-///**
-// * escape html
-// */
-//function escapeHtml(text){
-//  return text.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/"/g,'&quot;').replace(/>/g,'&gt;');
-//}
+/**
+* escape html
+*/
+function escapeHtml(text){
+ return text.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/"/g,'&quot;').replace(/>/g,'&gt;');
+}
 
 /**
  * calculate string ranking for path.