Escape text passed in collection sorting

Previously, the ID and title of tips and exercises newly added to the list were gathered from the DOM. While we keep this mechanism, we ensure to escape the text before reusing it.
2024-03-25 23:36:28 +01:00
parent 2c28e8616a
commit dfa970664d
2 changed files with 2 additions and 2 deletions
--- a/app/assets/javascripts/exercise_collections.js
+++ b/app/assets/javascripts/exercise_collections.js
@ -167,7 +167,7 @@ $(document).on('turbolinks:load', function() {
      }

      var addExercise = function (id, title) {
-        var exercise = {id: id, title: title}
+        var exercise = {id: _.escape(id), title: _.escape(title)}
        var collectionExercises = collectContainedExercises();
        if (collectionExercises.indexOf(exercise.id) === -1) {
          // only add exercises that are not already contained in the collection
--- a/app/assets/javascripts/exercises.js
+++ b/app/assets/javascripts/exercises.js
@ -225,7 +225,7 @@ $(document).on('turbolinks:load', function () {
        $('.remove-tip').on('click', removeTip);

        function addTip(id, title) {
-            const tip = {id: id, title: title}
+            const tip = {id: _.escape(id), title: _.escape(title)}
            const template =
                '<div class="list-group-item d-block" data-tip-id=' + tip.id + ' data-id="">' +
                '<span class="fa-solid fa-bars me-3"></span>' + tip.title +