Merge "Move the HTML-escaping JavaScript code to a separate function"

horizon/static/horizon/js/horizon.instances.js

@@ -45,25 +45,19 @@ horizon.instances = {
    * Initializes an associative array of lists of the current
    * networks.
    **/
-  init_network_list: function() {
+  init_network_list: function () {
     horizon.instances.networks_selected = [];
     horizon.instances.networks_available = [];
-    $(this.get_network_element("")).each(function(){
+    $(this.get_network_element("")).each(function () {
       var $this = $(this);
       var $input = $this.children("input");
-      var name = $this.text().replace(/^\s+/,"")
-                             .replace(/&/g, '&')
-                             .replace(/</g, '&lt;')
-                             .replace(/>/g, '&gt;')
-                             .replace(/"/g, '&quot;')
-                             .replace(/'/g, '&#x27;')
-                             .replace(/\//g, '&#x2F;');
+      var name = horizon.escape_html($this.text().replace(/^\s+/, ""));
       var network_property = {
-        name:name,
-        id:$input.attr("id"),
-        value:$input.attr("value")
+        "name": name,
+        "id": $input.attr("id"),
+        "value": $input.attr("value")
       };
-      if($input.is(':checked')) {
+      if ($input.is(":checked")) {
         horizon.instances.networks_selected.push(network_property);
       } else {
         horizon.instances.networks_available.push(network_property);

horizon/static/horizon/js/horizon.js

@@ -28,6 +28,16 @@ var Horizon = function () {
     initFunctions = [];
   };
 
+  /* An utility function for escaping HTML to avoid XSS. */
+  horizon.escape_html = function (text) {
+    return text.replace(/&/g, '&')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#x27;')
+      .replace(/\//g, '&#x2F;');
+  };
+
   return horizon;
 };