From 6e09e98225a18b2674288e92323770add74138b7 Mon Sep 17 00:00:00 2001
From: Julius Volz <julius@soundcloud.com>
Date: Fri, 9 Aug 2013 16:08:13 +0200
Subject: [PATCH] Add HTML escaping to silence label input values.

---
 web/static/js/alerts.js | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/web/static/js/alerts.js b/web/static/js/alerts.js
index f61e3f61..c64dc7d9 100644
--- a/web/static/js/alerts.js
+++ b/web/static/js/alerts.js
@@ -12,12 +12,18 @@ function addSilenceLabel(label, value) {
   if (!value) {
     value = "";
   }
-  $("#silence_filters_table").append(
+
+  row = $(
         '<tr>' +
-        '  <td><input class="input-large" name="silence_filter_label[]" type="text" placeholder="Label regex" value="' + label + '" required></td>' +
-        '  <td><input class="input-large" name="silence_filter_value[]" type="text" placeholder="Value regex" value="' + value + '" required></td>' +
+        '  <td><input class="input-large" name="silence_filter_label[]" type="text" placeholder="Label regex" required></td>' +
+        '  <td><input class="input-large" name="silence_filter_value[]" type="text" placeholder="Value regex" required></td>' +
         '  <td><button type="button" class="btn del_label_button"><i class="icon-minus"></i></button></td>' +
         '</tr>');
+  // Insert the values after creating the inputs to get automatic HTML escaping.
+  row.find("input[name='silence_filter_label[]']").val(label);
+  row.find("input[name='silence_filter_value[]']").val(value);
+
+  $("#silence_filters_table").append(row);
   bindDelLabel();
 }