From 0a8f6fa3fe0bbfdf84ce39404a4a3b288f01bec8 Mon Sep 17 00:00:00 2001 From: Robert Raposa Date: Tue, 15 Mar 2016 09:32:10 -0400 Subject: [PATCH] Properly escape the name --- lms/templates/instructor/instructor_dashboard_2/metrics.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lms/templates/instructor/instructor_dashboard_2/metrics.html b/lms/templates/instructor/instructor_dashboard_2/metrics.html index 7aae9338ae..5eee8e05e1 100644 --- a/lms/templates/instructor/instructor_dashboard_2/metrics.html +++ b/lms/templates/instructor/instructor_dashboard_2/metrics.html @@ -91,7 +91,7 @@ from django.template.defaultfilters import escapejs $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content); $.each(response.results, function(index, value ){ - overlay_content = '' + value['name'] + "" + value['username'] + ''; + overlay_content = '' + _.escape(value['name']) + "" + _.escape(value['username']) + ''; $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content); }); // If student list too long, append message to screen. @@ -131,7 +131,7 @@ from django.template.defaultfilters import escapejs $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content); $.each(response.results, function(index, value ){ - overlay_content = '' + value['name'] + "" + value['username'] + "" + value['grade'] + "" + value['percent'] + ''; + overlay_content = '' + _.escape(value['name']) + "" + _.escape(value['username']) + "" + _.escape(value['grade']) + "" + _.escape(value['percent']) + ''; $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content); }); // If student list too long, append message to screen.