From 491c213af67ab65ea3f4b40e8cf39558fb378e6b Mon Sep 17 00:00:00 2001
From: Connor Shea <connor.james.shea@gmail.com>
Date: Tue, 21 Jun 2016 16:00:01 -0600
Subject: Fix unescaped strings in Underscore templates.

---
 app/assets/javascripts/issuable.js.coffee         |  8 ++++----
 app/assets/javascripts/labels_select.js.coffee    |  6 +++---
 app/assets/javascripts/milestone_select.js.coffee |  6 +++---
 app/assets/javascripts/users_select.js.coffee     | 12 ++++++------
 4 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/app/assets/javascripts/issuable.js.coffee b/app/assets/javascripts/issuable.js.coffee
index 0527c66461c..c71d4ecf505 100644
--- a/app/assets/javascripts/issuable.js.coffee
+++ b/app/assets/javascripts/issuable.js.coffee
@@ -11,11 +11,11 @@ issuable_created = false
   initTemplates: ->
     Issuable.labelRow = _.template(
       '<% _.each(labels, function(label){ %>
-        <span class="label-row btn-group" role="group" aria-label="<%= _.escape(label.title) %>" style="color: <%= label.text_color %>;">
-          <a href="#" class="btn btn-transparent has-tooltip" style="background-color: <%= label.color %>;" title="<%= _.escape(label.description) %>" data-container="body">
-            <%= _.escape(label.title) %>
+        <span class="label-row btn-group" role="group" aria-label="<%- label.title %>" style="color: <%- label.text_color %>;">
+          <a href="#" class="btn btn-transparent has-tooltip" style="background-color: <%- label.color %>;" title="<%- label.description %>" data-container="body">
+            <%- label.title %>
           </a>
-          <button type="button" class="btn btn-transparent label-remove js-label-filter-remove" style="background-color: <%= label.color %>;" data-label="<%= _.escape(label.title) %>">
+          <button type="button" class="btn btn-transparent label-remove js-label-filter-remove" style="background-color: <%- label.color %>;" data-label="<%- label.title %>">
             <i class="fa fa-times"></i>
           </button>
         </span>
diff --git a/app/assets/javascripts/labels_select.js.coffee b/app/assets/javascripts/labels_select.js.coffee
index e95fd96a83f..ce859fedb2d 100644
--- a/app/assets/javascripts/labels_select.js.coffee
+++ b/app/assets/javascripts/labels_select.js.coffee
@@ -32,9 +32,9 @@ class @LabelsSelect
       if issueUpdateURL
         labelHTMLTemplate = _.template(
             '<% _.each(labels, function(label){ %>
-            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name[]=<%= _.escape(label.title) %>">
-            <span class="label has-tooltip color-label" title="<%= _.escape(label.description) %>" style="background-color: <%= label.color %>; color: <%= label.text_color %>;">
-            <%= _.escape(label.title) %>
+            <a href="<%- ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name[]=<%- label.title %>">
+            <span class="label has-tooltip color-label" title="<%- label.description %>" style="background-color: <%- label.color %>; color: <%- label.text_color %>;">
+            <%- label.title %>
             </span>
             </a>
             <% }); %>'
diff --git a/app/assets/javascripts/milestone_select.js.coffee b/app/assets/javascripts/milestone_select.js.coffee
index 02480f3a025..8ab03ed93ee 100644
--- a/app/assets/javascripts/milestone_select.js.coffee
+++ b/app/assets/javascripts/milestone_select.js.coffee
@@ -24,14 +24,14 @@ class @MilestoneSelect
 
       if issueUpdateURL
         milestoneLinkTemplate = _.template(
-          '<a href="/<%= namespace %>/<%= path %>/milestones/<%= iid %>" class="bold has-tooltip" data-container="body" title="<%= remaining %>"><%= _.escape(title) %></a>'
+          '<a href="/<%- namespace %>/<%- path %>/milestones/<%- iid %>" class="bold has-tooltip" data-container="body" title="<%- remaining %>"><%- title %></a>'
         )
 
         milestoneLinkNoneTemplate = '<span class="no-value">None</span>'
 
         collapsedSidebarLabelTemplate = _.template(
-          '<span class="has-tooltip" data-container="body" title="<%= remaining %>" data-placement="left">
-            <%= _.escape(title) %>
+          '<span class="has-tooltip" data-container="body" title="<%- remaining %>" data-placement="left">
+            <%- title %>
           </span>'
         )
 
diff --git a/app/assets/javascripts/users_select.js.coffee b/app/assets/javascripts/users_select.js.coffee
index 2548efb2186..4e032ab1ff1 100644
--- a/app/assets/javascripts/users_select.js.coffee
+++ b/app/assets/javascripts/users_select.js.coffee
@@ -61,8 +61,8 @@ class @UsersSelect
 
       collapsedAssigneeTemplate = _.template(
         '<% if( avatar ) { %>
-        <a class="author_link" href="/u/<%= username %>">
-          <img width="24" class="avatar avatar-inline s24" alt="" src="<%= avatar %>">
+        <a class="author_link" href="/u/<%- username %>">
+          <img width="24" class="avatar avatar-inline s24" alt="" src="<%- avatar %>">
           <span class="author">Toni Boehm</span>
         </a>
         <% } else { %>
@@ -72,13 +72,13 @@ class @UsersSelect
 
       assigneeTemplate = _.template(
         '<% if (username) { %>
-        <a class="author_link bold" href="/u/<%= username %>">
+        <a class="author_link bold" href="/u/<%- username %>">
           <% if( avatar ) { %>
-          <img width="32" class="avatar avatar-inline s32" alt="" src="<%= avatar %>">
+          <img width="32" class="avatar avatar-inline s32" alt="" src="<%- avatar %>">
           <% } %>
-          <span class="author"><%= name %></span>
+          <span class="author"><%- name %></span>
           <span class="username">
-            @<%= username %>
+            @<%- username %>
           </span>
         </a>
           <% } else { %>
-- 
cgit v1.2.1