From 40f223deca90d5b9f979c94d66aebc815d0a19d3 Mon Sep 17 00:00:00 2001
From: aignatov-bio <47317017+aignatov-bio@users.noreply.github.com>
Date: Mon, 13 Mar 2023 15:19:59 +0100
Subject: [PATCH] Fix XSS for tasks table titles [SCI-8133] (#5134)

---
 app/assets/javascripts/experiments/table.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/app/assets/javascripts/experiments/table.js b/app/assets/javascripts/experiments/table.js
index e47606f88..394abacb6 100644
--- a/app/assets/javascripts/experiments/table.js
+++ b/app/assets/javascripts/experiments/table.js
@@ -1,5 +1,5 @@
 /* global I18n GLOBAL_CONSTANTS InfiniteScroll
-          initBSTooltips filterDropdown dropdownSelector Sidebar HelperModule notTurbolinksPreview */
+          initBSTooltips filterDropdown dropdownSelector Sidebar HelperModule notTurbolinksPreview _ */
 
 var ExperimnetTable = {
   permissions: ['editable', 'archivable', 'restorable', 'moveable'],
@@ -635,17 +635,17 @@ var ExperimnetTable = {
 };
 
 ExperimnetTable.render.task_name = function(data) {
-  let tooltip = ` title="${data.name}" data-toggle="tooltip" data-placement="bottom"`;
+  let tooltip = ` title="${_.escape(data.name)}" data-toggle="tooltip" data-placement="bottom"`;
   if (data.provisioning_status === 'in_progress') {
-    return `<span data-full-name="${data.name}">${data.name}</span>`;
+    return `<span data-full-name="${_.escape(data.name)}">${data.name}</span>`;
   }
 
   return `<a
     href="${data.url}"
     ${tooltip}
-    title="${data.name}"
+    title="${_.escape(data.name)}"
     id="taskName${data.id}"
-    data-full-name="${data.name}">${data.name}</a>`;
+    data-full-name="${_.escape(data.name)}">${data.name}</a>`;
 };
 
 ExperimnetTable.render.id = function(data) {