From f83e67c40aefc98acfee01a6b5e3812e7c2108a8 Mon Sep 17 00:00:00 2001
From: juanf <juanf>
Date: Thu, 1 Dec 2016 07:50:39 +0000
Subject: [PATCH] SSDM-4453 : Links are now forced to use plain text display
 names, solves issues with HTML/Javascript injection and webpage refreshes.

SVN: 37421
---
 .../eln-lims/1/as/webapps/eln-lims/html/js/util/FormUtil.js    | 3 ++-
 .../eln-lims/html/js/views/SideMenu/SideMenuWidgetView.js      | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/openbis_standard_technologies/dist/core-plugins/eln-lims/1/as/webapps/eln-lims/html/js/util/FormUtil.js b/openbis_standard_technologies/dist/core-plugins/eln-lims/1/as/webapps/eln-lims/html/js/util/FormUtil.js
index bfc38e61332..81b6775270e 100644
--- a/openbis_standard_technologies/dist/core-plugins/eln-lims/1/as/webapps/eln-lims/html/js/util/FormUtil.js
+++ b/openbis_standard_technologies/dist/core-plugins/eln-lims/1/as/webapps/eln-lims/html/js/util/FormUtil.js
@@ -822,7 +822,8 @@ var FormUtil = new function() {
 		var click = function() {
 			mainController.changeView(view, permIdOrIdentifier, true);
 		}
-		var link = $("<a>", { "href" : href, "class" : "browser-compatible-javascript-link" }).append(displayName);
+		displayName = String(displayName).replace(/<(?:.|\n)*?>/gm, ''); //Clean any HTML tags
+		var link = $("<a>", { "href" : href, "class" : "browser-compatible-javascript-link" }).text(displayName);
 		link.click(click);
 		return link;
 	}
diff --git a/openbis_standard_technologies/dist/core-plugins/eln-lims/1/as/webapps/eln-lims/html/js/views/SideMenu/SideMenuWidgetView.js b/openbis_standard_technologies/dist/core-plugins/eln-lims/1/as/webapps/eln-lims/html/js/views/SideMenu/SideMenuWidgetView.js
index e9b66d2fa10..4f53d0df114 100644
--- a/openbis_standard_technologies/dist/core-plugins/eln-lims/1/as/webapps/eln-lims/html/js/views/SideMenu/SideMenuWidgetView.js
+++ b/openbis_standard_technologies/dist/core-plugins/eln-lims/1/as/webapps/eln-lims/html/js/views/SideMenu/SideMenuWidgetView.js
@@ -179,7 +179,8 @@ function SideMenuWidgetView(sideMenuWidgetController, sideMenuWidgetModel) {
     
     this.getLinkForNode = function(displayName, menuId, view, viewData) {
     	var href = Util.getURLFor(menuId, view, viewData);
-        var $menuItemLink = $("<a>", {"href": href, "class" : "browser-compatible-javascript-link browser-compatible-javascript-link-tree" }).append(displayName);
+    	displayName = String(displayName).replace(/<(?:.|\n)*?>/gm, ''); //Clean any HTML tags
+        var $menuItemLink = $("<a>", {"href": href, "class" : "browser-compatible-javascript-link browser-compatible-javascript-link-tree" }).text(displayName);
         return $menuItemLink[0].outerHTML;
     }
     
-- 
GitLab