Use PageFlowUtil.jsString to escape container path (#522)

vagisha · labkey-jeckels · web-flow · commit 27764f0835af · 2025-03-21T22:01:03.000-07:00
- Use PageFlowUtil.jsString to escape container path.
- HTML-escape the abstract, experiment and sample descriptions displayed by dropDownUtils.js

Co-authored-by: Josh Eckels &lt;jeckels@labkey.com&gt;
diff --git a/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java b/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java
@@ -162,7 +162,10 @@ public void renderGridCellContents(RenderContext ctx, Writer out) throws IOExcep
                                             .at(src, PageFlowUtil.staticResourceUrl("_images/plus.gif"))),
                                     HtmlString.NBSP)
                                     .appendTo(out);
-                            pageConfig.addHandler(spanId, "click", "viewExperimentDetails(this,'" + container.getPath() + "', '" + id + "','" + detailsPage + "')");
+                            pageConfig.addHandler(spanId, "click", "viewExperimentDetails(this,"
+                                    + PageFlowUtil.jsString(container.getPath())
+                                    + ", " + id + ", "
+                                    + PageFlowUtil.jsString(detailsPage) + ")");
                         }
                         super.renderGridCellContents(ctx, out);
                     }
diff --git a/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js b/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js
@@ -66,12 +66,13 @@ viewExperimentDetails = function (obj, experimentContainer, id, detailsPageURL)
         var results;
         if(object.rows[rowNum][type] != null)
         {
-            if(object.rows[rowNum][type].length > 500)
+            let description = object.rows[rowNum][type];
+            if(description.length > 500)
             {
-                results = object.rows[rowNum][type].substring(0,500)+"<a href='"+detailsPageURL+"'>...more.</a>";
+                results =  LABKEY.Utils.encodeHtml(description.substring(0,500)) +"<a href=\""+ LABKEY.Utils.encodeHtml(detailsPageURL) +"\">...more.</a>";
             }
             else {
-                results =object.rows[rowNum][type];
+                results =  LABKEY.Utils.encodeHtml(description);
             }
         }
         else {results = null;}

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,10 @@ public void renderGridCellContents(RenderContext ctx, Writer out) throws IOExcep`
`162`	`162`	`.at(src, PageFlowUtil.staticResourceUrl("_images/plus.gif"))),`
`163`	`163`	`HtmlString.NBSP)`
`164`	`164`	`.appendTo(out);`
`165`		`- pageConfig.addHandler(spanId, "click", "viewExperimentDetails(this,'" + container.getPath() + "', '" + id + "','" + detailsPage + "')");`
	`165`	`+ pageConfig.addHandler(spanId, "click", "viewExperimentDetails(this,"`
	`166`	`+ + PageFlowUtil.jsString(container.getPath())`
	`167`	`+ + ", " + id + ", "`
	`168`	`+ + PageFlowUtil.jsString(detailsPage) + ")");`
`166`	`169`	`}`
`167`	`170`	`super.renderGridCellContents(ctx, out);`
`168`	`171`	`}`
Original file line number	Diff line number	Diff line change
`@@ -66,12 +66,13 @@ viewExperimentDetails = function (obj, experimentContainer, id, detailsPageURL)`
`66`	`66`	`var results;`
`67`	`67`	`if(object.rows[rowNum][type] != null)`
`68`	`68`	`{`
`69`		`- if(object.rows[rowNum][type].length > 500)`
	`69`	`+ let description = object.rows[rowNum][type];`
	`70`	`+ if(description.length > 500)`
`70`	`71`	`{`
`71`		`- results = object.rows[rowNum][type].substring(0,500)+"<a href='"+detailsPageURL+"'>...more.</a>";`
	`72`	`+ results = LABKEY.Utils.encodeHtml(description.substring(0,500)) +"<a href=\""+ LABKEY.Utils.encodeHtml(detailsPageURL) +"\">...more.</a>";`
`72`	`73`	`}`
`73`	`74`	`else {`
`74`		`- results =object.rows[rowNum][type];`
	`75`	`+ results = LABKEY.Utils.encodeHtml(description);`
`75`	`76`	`}`
`76`	`77`	`}`
`77`	`78`	`else {results = null;}`