From c94595ea7f0f843c2d7abf25df039b2bbe707625 Mon Sep 17 00:00:00 2001
From: Francis Lachapelle <flachapelle@inverse.ca>
Date: Fri, 7 Feb 2014 16:12:14 -0500
Subject: [PATCH] Escape HTML in CSS dialogs

---
 UI/WebServerResources/SchedulerUI.js | 4 ++--
 UI/WebServerResources/generic.js     | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/UI/WebServerResources/SchedulerUI.js b/UI/WebServerResources/SchedulerUI.js
index 2d5557125..c7773c337 100644
--- a/UI/WebServerResources/SchedulerUI.js
+++ b/UI/WebServerResources/SchedulerUI.js
@@ -265,7 +265,7 @@ function deleteEvent() {
                                 content = nodes[i].allTextContent();
                             }
                             itemElement.appendChild(colorBox);
-                            itemElement.appendChild(new Element('span').update(content));
+                            itemElement.appendChild(new Element('span').update(content.escapeHTML()));
                             if (nodes[i].startDate) {
                                 var startDate = new Date(nodes[i].startDate*1000);
                                 var dateElement = new Element('div', {'class': 'muted'});
@@ -332,7 +332,7 @@ function deleteEvent() {
                             }
                         }
                         itemElement.appendChild(colorBox);
-                        itemElement.appendChild(new Element('span').update(content));
+                        itemElement.appendChild(new Element('span').update(content.escapeHTML()));
                         if (selectedCalendarCell[i].startDate) {
                             var startDate = new Date(selectedCalendarCell[i].startDate*1000);
                             var dateElement = new Element('div', {'class': 'muted'});
diff --git a/UI/WebServerResources/generic.js b/UI/WebServerResources/generic.js
index ced3c99b0..e5b669314 100644
--- a/UI/WebServerResources/generic.js
+++ b/UI/WebServerResources/generic.js
@@ -1467,7 +1467,7 @@ function showAlarmCallback(http) {
             if (data["description"].length)
                 msg += "\n\n" + data["description"];
 
-            window.alert(msg);
+            window.alert(msg.unescapeHTML());
             showSelectDialog(data["summary"], _('Snooze for '),
                              { '5': _('5 minutes'),
                                '10': _('10 minutes'),
@@ -1983,7 +1983,7 @@ function createDialog(id, title, legend, content, positionClass) {
     var subdiv = createElement("div", null, null, null, null, newDialog);
     if (title && title.length > 0) {
         var titleh3 = createElement("h3", null, null, null, null, subdiv);
-        titleh3.appendChild(document.createTextNode(title));
+        titleh3.update(title);
     }
     if (legend) {
         if (Object.isElement(legend))
@@ -2141,14 +2141,14 @@ function _showSelectDialog(title, label, options, button, callbackFcn, callbackA
     }
     else {
         var fields = createElement("p", null, []);
-	fields.appendChild(document.createTextNode(label));
+	fields.update(label);
         var select = createElement("select"); //, null, null, { cname: name } );
 	fields.appendChild(select);
         var values = $H(options).keys();
         for (var i = 0; i < values.length; i++) {
             var option = createElement("option", null, null,
                                        { value: values[i] }, null, select);
-            option.appendChild(document.createTextNode(options[values[i]]));
+            option.update(options[values[i]]);
         }
         fields.appendChild(createElement("br"));