Sanitize paragraph and font names

webodf · Dec 2, 2014 · 4868742 · 4868742
1 parent d2c5435
commit 4868742
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/programs/editor/widgets/fontPicker.js b/programs/editor/widgets/fontPicker.js
@@ -23,9 +23,10 @@
  */
 /*global define,require,document */
 define("webodf/editor/widgets/fontPicker", [
-    "dijit/form/Select"],
+    "dijit/form/Select",
+    "dojox/html/entities"],
 
-    function (Select) {
+    function (Select, htmlEntities) {
         "use strict";
 
         /**
@@ -91,7 +92,7 @@ define("webodf/editor/widgets/fontPicker", [
                     name = documentFonts[i].name;
                     family = documentFonts[i].family || name;
                     selectionList.push({
-                        label: '<span style="font-family: ' + family + ';">' + name + '</span>',
+                        label: '<span style="font-family: ' + htmlEntities.encode(family) + ';">' + htmlEntities.encode(name)+ '</span>',
                         value: name
                     });
                 }
@@ -104,7 +105,7 @@ define("webodf/editor/widgets/fontPicker", [
                 // Lastly populate the fonts provided by the editor
                 for (i = 0; i < editorFonts.length; i += 1) {
                     selectionList.push({
-                        label: '<span style="font-family: ' + editorFonts[i] + ';">' + editorFonts[i] + '</span>',
+                        label: '<span style="font-family: ' + htmlEntities.encode(editorFonts[i]) + ';">' + htmlEntities.encode(editorFonts[i]) + '</span>',
                         value: editorFonts[i]
                     });
                 }

diff --git a/programs/editor/widgets/paragraphStyles.js b/programs/editor/widgets/paragraphStyles.js
@@ -26,9 +26,10 @@
 
 define("webodf/editor/widgets/paragraphStyles", [
     "dijit/form/Select",
+    "dojox/html/entities",
     "webodf/editor/EditorSession"],
 
-    function (Select, EditorSession) {
+    function (Select, htmlEntities, EditorSession) {
     "use strict"
 
     /**
@@ -83,7 +84,7 @@ define("webodf/editor/widgets/paragraphStyles", [
 
             for (i = 0; i < availableStyles.length; i += 1) {
                 selectionList.push({
-                    label: availableStyles[i].displayName || availableStyles[i].name,
+                    label: htmlEntities.encode(availableStyles[i].displayName) || htmlEntities.encode(availableStyles[i].name),
                     value: availableStyles[i].name
                 });
             }
@@ -102,8 +103,8 @@ define("webodf/editor/widgets/paragraphStyles", [
 
             newStyleElement = editorSession.getParagraphStyleElement(styleInfo.name);
             select.addOption({
-                value: styleInfo.name,
-                label: newStyleElement.getAttributeNS(stylens, 'display-name')
+                label: htmlEntities.encode(newStyleElement.getAttributeNS(stylens, 'display-name')),
+                value: styleInfo.name
             });
 
             if (self.onAdd) {