Properly escape the name

0a8f6fa3 · Robert Raposa · Eric Fischer · 15ef27fe · 0a8f6fa3
Commit 0a8f6fa3 authored Mar 15, 2016 by Robert Raposa Committed by Eric Fischer Mar 21, 2016
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

lms/templates/instructor/instructor_dashboard_2/metrics.html
+2 -2

No files found.
--- a/lms/templates/instructor/instructor_dashboard_2/metrics.html
+++ b/lms/templates/instructor/instructor_dashboard_2/metrics.html
@@ -91,7 +91,7 @@ from django.template.defaultfilters import escapejs
            $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);
            $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + '</td></tr>';
              $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
            });
            // If student list too long, append message to screen.
@@ -131,7 +131,7 @@ from django.template.defaultfilters import escapejs
            $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);
            $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + "</td><td>" + value['grade'] + "</td><td>" + value['percent'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + "</td><td>" + _.escape(value['grade']) + "</td><td>" + _.escape(value['percent']) + '</td></tr>';
              $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
            });
            // If student list too long, append message to screen.