[pve-devel] [PATCH pve-manager 1/2] htmlEncode values in {Pending, }ObjectGrid by default

[Wolfgang Bumiller]

---
 www/manager/grid/ObjectGrid.js        | 4 ++--
 www/manager/grid/PendingObjectGrid.js | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/manager/grid/ObjectGrid.js b/www/manager/grid/ObjectGrid.js
index cd135a1..c8a6525 100644
--- a/www/manager/grid/ObjectGrid.js
+++ b/www/manager/grid/ObjectGrid.js
@@ -26,10 +26,10 @@ Ext.define('PVE.grid.ObjectGrid', {
 
 	var renderer = rowdef.renderer;
 	if (renderer) {
-	    return renderer(value, metaData, record, rowIndex, colIndex, store);
+	    value = renderer(value, metaData, record, rowIndex, colIndex, store);
 	}
 
-	return value;
+	return Ext.util.Format.htmlEncode(value);
     },
 
     initComponent : function() {
diff --git a/www/manager/grid/PendingObjectGrid.js b/www/manager/grid/PendingObjectGrid.js
index 546afd3..f8efe30 100644
--- a/www/manager/grid/PendingObjectGrid.js
+++ b/www/manager/grid/PendingObjectGrid.js
@@ -63,7 +63,10 @@ Ext.define('PVE.grid.PendingObjectGrid', {
 	    pendingdelete = '<div style="text-decoration: line-through;">'+ current +'</div>';
 	}
 
+	current = Ext.util.Format.htmlEncode(current);
 	if (pending || pendingdelete) {
+	    pending = Ext.util.Format.htmlEncode(pending);
+	    pendingdelete = Ext.util.Format.htmlEncode(pendingdelete);
 	    return current + '<div style="color:red">' + pending + pendingdelete + '</div>';
 	} else {
 	    return current;
-- 
2.1.4