Escape in JavaScript

src/main/scala/gitbucket/core/service/RepositoryService.scala

@@ -537,10 +537,6 @@ object RepositoryService {
 
       (id, path.substring(id.length).stripPrefix("/"))
     }
-
-//    def getReleaseByTag(tag: String)(implicit s: Session): Option[Release] = {
-//      Releases filter (_.byTag(owner, name, tag)) firstOption
-//    }
   }
 
   def httpUrl(owner: String, name: String)(implicit context: Context): String = s"${context.baseUrl}/git/${owner}/${name}.git"

src/main/twirl/gitbucket/core/releases/form.scala.html

@@ -75,9 +75,9 @@ $(function(){
     success: function(file, id) {
       var attach =
         '<li><a href="@context.baseUrl/@repository.owner/@repository.name/_release/@helpers.encodeRefName(tag)/' + id + '">' +
-        '<i class="octicon octicon-file"></i>' + file.name + '</a>' +
+        '<i class="octicon octicon-file"></i>' + escapeHtml(file.name) + '</a>' +
         '<a href="#" class="remove pull-right" style="padding-top: 0px;">(remove)</a>' +
-        '<input type="hidden" name="file:' + id + '" value="' + file.name + '"/>' + // TODO escape file.name
+        '<input type="hidden" name="file:' + id + '" value="' + escapeHtml(file.name) + '"/>'
         '</li>';
       $('#assets-list').append(attach);
       $(file.previewElement).prevAll('div.dz-preview').addBack().remove();

src/main/webapp/assets/common/js/gitbucket.js

@@ -351,12 +351,12 @@ function scrollIntoView(target){
   }
 }
 
-///**
-// * escape html
-// */
-//function escapeHtml(text){
-//  return text.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/"/g,'&quot;').replace(/>/g,'&gt;');
-//}
+/**
+* escape html
+*/
+function escapeHtml(text){
+ return text.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/"/g,'&quot;').replace(/>/g,'&gt;');
+}
 
 /**
  * calculate string ranking for path.