HTML-escape the abstract, experiment and sample descriptions displayed by dropDownUtils.js

vagisha · vagisha · commit 0fc25a34e1dc · 2025-03-20T12:16:05.000-07:00
diff --git a/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js b/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js
@@ -66,12 +66,13 @@ viewExperimentDetails = function (obj, experimentContainer, id, detailsPageURL)
         var results;
         if(object.rows[rowNum][type] != null)
         {
-            if(object.rows[rowNum][type].length > 500)
+            let description = object.rows[rowNum][type];
+            if(description.length > 500)
             {
-                results = object.rows[rowNum][type].substring(0,500)+"<a href='"+detailsPageURL+"'>...more.</a>";
+                results =  LABKEY.Utils.encodeHtml(description.substring(0,500)) +"<a href='"+ LABKEY.Utils.encodeHtml(detailsPageURL) +"'>...more.</a>";
             }
             else {
-                results =object.rows[rowNum][type];
+                results =  LABKEY.Utils.encodeHtml(description);
             }
         }
         else {results = null;}

Original file line number	Diff line number	Diff line change
`@@ -66,12 +66,13 @@ viewExperimentDetails = function (obj, experimentContainer, id, detailsPageURL)`
`66`	`66`	`var results;`
`67`	`67`	`if(object.rows[rowNum][type] != null)`
`68`	`68`	`{`
`69`		`- if(object.rows[rowNum][type].length > 500)`
	`69`	`+ let description = object.rows[rowNum][type];`
	`70`	`+ if(description.length > 500)`
`70`	`71`	`{`
`71`		`- results = object.rows[rowNum][type].substring(0,500)+"<a href='"+detailsPageURL+"'>...more.</a>";`
	`72`	`+ results = LABKEY.Utils.encodeHtml(description.substring(0,500)) +"<a href='"+ LABKEY.Utils.encodeHtml(detailsPageURL) +"'>...more.</a>";`
`72`	`73`	`}`
`73`	`74`	`else {`
`74`		`- results =object.rows[rowNum][type];`
	`75`	`+ results = LABKEY.Utils.encodeHtml(description);`
`75`	`76`	`}`
`76`	`77`	`}`
`77`	`78`	`else {results = null;}`