Merge pull request #180 from pe4cey/escape-property-keys

Escape property keys when creating table view
neo4j · Jun 9, 2016 · 711487f · 711487f
2 parents ce59c42 + 407864f
commit 711487f
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/app/scripts/directives/neoTable.coffee b/app/scripts/directives/neoTable.coffee
@@ -36,7 +36,7 @@ angular.module('neo4jApp.directives')
         json2html = (obj) ->
           return emptyMarker() unless Object.keys(obj).length
           html  = "<table class='json-object'><tbody>"
-          html += "<tr><th>#{k}</th><td>#{cell2html(v)}</td></tr>" for own k, v of obj
+          html += "<tr><th>#{Utils.escapeHTML(k)}</th><td>#{cell2html(v)}</td></tr>" for own k, v of obj
           html += "</tbody></table>"
           html
 
@@ -62,7 +62,7 @@ angular.module('neo4jApp.directives')
           html  = "<table class='table data'>"
           html += "<thead><tr>"
           for col in cols
-            html += "<th>#{col}</th>"
+            html += "<th>#{Utils.escapeHTML(col)}</th>"
           html += "</tr></thead>"
           html += "<tbody>"
           if result.displayedSize

diff --git a/test/spec/directives/neoTable.coffee b/test/spec/directives/neoTable.coffee
@@ -33,3 +33,36 @@ describe 'Directive: neoTable', () ->
       columns: -> ['col']
     scope.$apply()
     expect(element.html()).toContain('&lt;script&gt;')
+
+  it 'should escape HTML characters in column name', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[]]
+      displayedSize: 1
+      columns: -> ['<p>']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')
+
+  it 'should escape HTML characters in property name', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[{'<p>':'value'}]]
+      displayedSize: 1
+      columns: -> ['col']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')
+
+  it 'should escape HTML characters in property value', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[{'key':'<p>'}]]
+      displayedSize: 1
+      columns: -> ['col']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')