MOBILE-773 participants: Prevent XSS on user profile fields

moodlehq · Nov 28, 2014 · e48a701 · e48a701
1 parent 7306efe
commit e48a701
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/plugins/participants/participant.html b/plugins/participants/participant.html
@@ -7,10 +7,10 @@
         <div class="content">
             <div class="user-picture media">
                 <div class="img">
-                    <img src="<%= MM.util.getMoodleFilePath(user.profileimageurl) %>" alt="<% print( MM.util.formatText(user.fullname)); %>" />
+                    <img src="<%= MM.util.getMoodleFilePath(user.profileimageurl) %>" alt="<%= MM.util.formatText(user.fullname) %>" />
                 </div>
                 <div class="bd">
-                    <h1><% print( MM.util.formatText(user.fullname)); %></h1>
+                    <h1><%= MM.util.formatText(user.fullname) %></h1>
                 </div>
             </div>
 
@@ -20,24 +20,24 @@ <h2><%= MM.lang.s("contact") %></h2>
             <% var fields = ["email", "address", "city", "country", "phone1", "phone2"]; %>
             <% _.each(fields, function(field) { %>
             <% if (user[field]) { %>
-                <li><% print(MM.lang.s(field)); %>:
+                <li><%= MM.lang.s(field) %>:
                 <% if (field == "phone1" || field == "phone2") { %>
-                    <a href="tel:<% print(user[field]); %>"><% print(user[field]); %></a>
+                    <a href="tel:<%= user[field] %>"><%= MM.util.formatText(user[field], true) %></a>
 
                 <% } else if (field == "address") { %>
                     <% var add = user[field]; %>
-                    <% add += (user["city"]) ? "," + user["city"] : ""; %>
-                    <% add += (user["country"]) ? "," + user["country"] : ""; %>
+                    <% add += (user["city"]) ? "," + MM.util.formatText(user["city"], true) : ""; %>
+                    <% add += (user["country"]) ? "," + MM.util.formatText(user["country"], true) : ""; %>
                     <% add = encodeURIComponent(add); %>
 
                     <% if (MM.deviceOS == "android") { %>
-                        <a href="geo:<% print(add); %>" target="_blank"><% print(user[field]); %></a>
+                        <a href="geo:<%= add %>" target="_blank"><%= MM.util.formatText(user[field]) %></a>
                     <% } else { %>
-                        <a href="http://maps.google.com?q=<% print(add); %>" target="_blank"><% print(user[field]); %></a>
+                        <a href="http://maps.google.com?q=<%= add %>" target="_blank"><%= MM.util.formatText(user[field]) %></a>
                     <% }  %>
 
                 <% } else { %>
-                    <% print( MM.util.formatText(user[field])); %>
+                    <%= MM.util.formatText(user[field]) %>
                 <% } %>
                 </li>
             <% } %>
@@ -46,7 +46,7 @@ <h2><%= MM.lang.s("contact") %></h2>
 
             <% if (user.description) { %>
                 <h2><%= MM.lang.s("description") %></h2>
-                <div class="user-description"><% print( MM.util.formatText(user.description)); %></div>
+                <div class="user-description"><%= MM.util.formatText(user.description)  %></div>
             <% } %>
 
         </div>