From 139b348d09b876659f14d334502bf18a7b3192e3 Mon Sep 17 00:00:00 2001
From: Michael Witrant <mike@lepton.fr>
Date: Sun, 6 Mar 2011 17:30:45 +0800
Subject: [PATCH] escape javascript strings in todo creation and update

---
 app/views/todos/create.js.erb | 8 ++++----
 app/views/todos/update.js.erb | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/app/views/todos/create.js.erb b/app/views/todos/create.js.erb
index cdc91ac4..58155973 100644
--- a/app/views/todos/create.js.erb
+++ b/app/views/todos/create.js.erb
@@ -1,5 +1,5 @@
 <% if @saved -%>
-  TracksPages.page_notify('notice', "<%=@status_message%>", 5);
+  TracksPages.page_notify('notice', "<%=escape_javascript @status_message%>", 5);
   TracksPages.hide_errors();
   TracksPages.set_page_badge(<%= @down_count %>);
   <% if should_show_new_item -%>
@@ -18,9 +18,9 @@
 function clear_form() {
   $('#todo-form-new-action').clearForm();
   $('#todo-form-new-action').clearDeps();
-  TracksForm.set_context_name('<%=@initial_context_name%>');
-  TracksForm.set_project_name('<%=@initial_project_name%>');
-  TracksForm.set_tag_list('<%=@default_tags%>');
+  TracksForm.set_context_name('<%=escape_javascript @initial_context_name%>');
+  TracksForm.set_project_name('<%=escape_javascript @initial_project_name%>');
+  TracksForm.set_tag_list('<%=escape_javascript @default_tags%>');
   $('#todo-form-new-action input:text:first').focus();
 }
 
diff --git a/app/views/todos/update.js.erb b/app/views/todos/update.js.erb
index adb412b3..9c48aa9a 100644
--- a/app/views/todos/update.js.erb
+++ b/app/views/todos/update.js.erb
@@ -20,7 +20,7 @@
 %>
 
   <%= render_animation(animation) %>
-  TracksPages.page_notify('notice', '<%=@status_message%>', 5);
+  TracksPages.page_notify('notice', '<%=escape_javascript @status_message%>', 5);
   TracksPages.set_page_badge(<%= @down_count %>);
 <% end %>