Improve escaping of special characters in flash messages [SCI-8137] (#5144)

2025-10-31 00:19:20 +08:00 · 2023-03-15 15:56:47 +01:00 · 2023-03-15 15:56:47 +01:00 · b0251435e5
commit b0251435e5
parent 44823da268
3 changed files with 4 additions and 4 deletions
--- a/app/controllers/access_permissions/projects_controller.rb
+++ b/app/controllers/access_permissions/projects_controller.rb
@ -69,7 +69,7 @@ module AccessPermissions
      respond_to do |format|
        if project_member.destroy
          format.json do
-            render json: { flash: t('access_permissions.destroy.success', member_name: user.full_name) },
+            render json: { flash: t('access_permissions.destroy.success', member_name: escape_input(user.full_name)) },
                   status: :ok
          end
        else
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@ -235,7 +235,7 @@ class AssetsController < ApplicationController
        log_result_activity(:edit_result, @assoc)
      end

-      render json: { flash: I18n.t('assets.file_deleted', file_name: @asset.file_name) }
+      render json: { flash: I18n.t('assets.file_deleted', file_name: escape_input(@asset.file_name)) }
    else
      render json: {}, status: :unprocessable_entity
    end
--- a/app/controllers/repository_rows_controller.rb
+++ b/app/controllers/repository_rows_controller.rb
@ -260,7 +260,7 @@ class RepositoryRowsController < ApplicationController
                                                         team: current_team)

    if service.succeed?
-      render json: { flash: t('repositories.archive_records.success_flash', repository: @repository.name) }, status: :ok
+      render json: { flash: t('repositories.archive_records.success_flash', repository: escape_input(@repository.name)) }
    else
      render json: { error: service.error_message }, status: :unprocessable_entity
    end
@ -273,7 +273,7 @@ class RepositoryRowsController < ApplicationController
                                                         team: current_team)

    if service.succeed?
-      render json: { flash: t('repositories.restore_records.success_flash', repository: @repository.name) }, status: :ok
+      render json: { flash: t('repositories.restore_records.success_flash', repository: escape_input(@repository.name)) }
    else
      render json: { error: service.error_message }, status: :unprocessable_entity
    end