From d5cc9c8eb609649bb2a6993fcbf8c72b854507b1 Mon Sep 17 00:00:00 2001
From: Maciej Tronowski <mtro@man.poznan.pl>
Date: Wed, 2 Sep 2015 12:45:52 +0200
Subject: [PATCH] proper escaping of file attributes in js templates

---
 filex/static/filex/filex.js          |    2 +-
 filex/templates/filex/source.js.html |   20 ++++++++++----------
 filex/templates/filex/upload.js.html |   14 +++++++-------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/filex/static/filex/filex.js b/filex/static/filex/filex.js
index 011f47c..9f34b5e 100644
--- a/filex/static/filex/filex.js
+++ b/filex/static/filex/filex.js
@@ -234,7 +234,7 @@ $(function(){
 
             // used in selectize callbacks
             var view = this,
-                optionTemplate = _.template('<div><div><%= host %></div><div class="small text-muted"><%= path %></div></div>');
+                optionTemplate = _.template('<div><div><%- host %></div><div class="small text-muted"><%- path %></div></div>');
 
             this.$('#host-selector').selectize({
                 optgroupField: 'group',
diff --git a/filex/templates/filex/source.js.html b/filex/templates/filex/source.js.html
index 9457298..451d270 100644
--- a/filex/templates/filex/source.js.html
+++ b/filex/templates/filex/source.js.html
@@ -14,24 +14,24 @@
 
 <script type="text/template" id="dir-template">
     <td class="text-center">
-        <label for="dir-<%= cid %>" class="sr-only">Zaznacz katalog <%= name %></label>
-        <input id="dir-<%= cid %>" type="checkbox" autocomplete="off">
+        <label for="dir-<%- cid %>" class="sr-only">Zaznacz katalog <%- name %></label>
+        <input id="dir-<%- cid %>" type="checkbox" autocomplete="off">
     </td>
     <td class="text-center"><span class="glyphicon glyphicon-folder-open" aria-hidden="true"></span></td>
-    <td><a class="link" href="#<%= url %>"><%= name %></a></td>
-    <td class="text-right"><%= size %></td>
-    <td><%= date %></td>
+    <td><a class="link" href="#<%- url %>"><%- name %></a></td>
+    <td class="text-right"><%- size %></td>
+    <td><%- date %></td>
 </script>
 
 <script type="text/template" id="file-template">
     <td class="text-center">
-        <label for="file-<%= cid %>" class="sr-only">Zaznacz plik <%= name %></label>
-        <input id="file-<%= cid %>" type="checkbox" autocomplete="off">
+        <label for="file-<%- cid %>" class="sr-only">Zaznacz plik <%- name %></label>
+        <input id="file-<%- cid %>" type="checkbox" autocomplete="off">
     </td>
     <td class="text-center"><span class="glyphicon glyphicon-file" aria-hidden="true"></span></td>
     <td>
-        <a class="link" href="{% url 'filex:download' %}?<%= params %>"><%= name %></a>
+        <a class="link" href="{% url 'filex:download' %}?<%- params %>"><%- name %></a>
     </td>
-    <td class="text-right"><%= size %></td>
-    <td><%= date %></td>
+    <td class="text-right"><%- size %></td>
+    <td><%- date %></td>
 </script>
diff --git a/filex/templates/filex/upload.js.html b/filex/templates/filex/upload.js.html
index 3f1f786..cefe181 100644
--- a/filex/templates/filex/upload.js.html
+++ b/filex/templates/filex/upload.js.html
@@ -173,7 +173,7 @@
 <script type="text/template" id="template">
     <div class="item">
         <div class="text clearfix">
-            <span class="name"><%= name %></span>
+            <span class="name"><%- name %></span>
             <span class="status pull-right">
                 <em class="small bit-rate" style="margin-right: 15px"></em>
                 <span class="text-muted progress-info">Oczekiwanie</span>
@@ -181,7 +181,7 @@
         </div>
 
         <div class="progress">
-            <div class="progress-bar" role="progressbar" aria-valuenow="0" aria-valuemin="0" aria-valuemax="<%= size %>" style="width: 0;">
+            <div class="progress-bar" role="progressbar" aria-valuenow="0" aria-valuemin="0" aria-valuemax="<%- size %>" style="width: 0;">
                 <span class="sr-only">0%</span>
             </div>
         </div>
@@ -189,7 +189,7 @@
 </script>
 
 <script type="text/template" id="conflict-template">
-    <h4>W wybranej lokalizacji plik o nazwie <em><%= name %></em> już istnieje!</h4>
+    <h4>W wybranej lokalizacji plik o nazwie <em><%- name %></em> już istnieje!</h4>
 
     <table class="table">
         <thead>
@@ -202,13 +202,13 @@
         <tbody>
             <tr>
                 <th scope="row">Data modyfikacji</th>
-                <td><%= srcDate.format('D MMM YYYY, h:mm') %></td>
-                <td><%= dstDate.format('D MMM YYYY, h:mm') %></td>
+                <td><%- srcDate.format('D MMM YYYY, h:mm') %></td>
+                <td><%- dstDate.format('D MMM YYYY, h:mm') %></td>
             </tr>
             <tr>
                 <th scope="row">Rozmiar</th>
-                <td><%= srcSize %></td>
-                <td><%= dstSize %></td>
+                <td><%- srcSize %></td>
+                <td><%- dstSize %></td>
             </tr>
         </tbody>
     </table>
-- 
1.7.9.5