Escape property keys when creating table view

pe4cey · pe4cey · commit 407864fc9a86 · 2016-06-09T15:22:55.000+01:00
diff --git a/app/scripts/directives/neoTable.coffee b/app/scripts/directives/neoTable.coffee
@@ -35,7 +35,7 @@ angular.module('neo4jApp.directives')
         json2html = (obj) ->
           return emptyMarker() unless Object.keys(obj).length
           html  = "<table class='json-object'><tbody>"
-          html += "<tr><th>#{k}</th><td>#{cell2html(v)}</td></tr>" for own k, v of obj
+          html += "<tr><th>#{Utils.escapeHTML(k)}</th><td>#{cell2html(v)}</td></tr>" for own k, v of obj
           html += "</tbody></table>"
           html
 
@@ -59,7 +59,7 @@ angular.module('neo4jApp.directives')
           html  = "<table class='table data'>"
           html += "<thead><tr>"
           for col in cols
-            html += "<th>#{col}</th>"
+            html += "<th>#{Utils.escapeHTML(col)}</th>"
           html += "</tr></thead>"
           html += "<tbody>"
           if result.displayedSize
diff --git a/test/spec/directives/neoTable.coffee b/test/spec/directives/neoTable.coffee
@@ -33,3 +33,36 @@ describe 'Directive: neoTable', () ->
       columns: -> ['col']
     scope.$apply()
     expect(element.html()).toContain('&lt;script&gt;')
+
+  it 'should escape HTML characters in column name', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[]]
+      displayedSize: 1
+      columns: -> ['<p>']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')
+
+  it 'should escape HTML characters in property name', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[{'<p>':'value'}]]
+      displayedSize: 1
+      columns: -> ['col']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')
+
+  it 'should escape HTML characters in property value', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[{'key':'<p>'}]]
+      displayedSize: 1
+      columns: -> ['col']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')
