From 449ff0b4697327427a713bf726fe3c26dfabf7eb Mon Sep 17 00:00:00 2001
From: uhensler <urs.hensler@frentix.com>
Date: Fri, 28 Jun 2019 09:04:46 +0200
Subject: [PATCH] OO-4080: Strip html tags in radar charts

---
 .../chart/RadarChartComponentRenderer.java          | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/olat/core/gui/components/chart/RadarChartComponentRenderer.java b/src/main/java/org/olat/core/gui/components/chart/RadarChartComponentRenderer.java
index 3289232e4bc..ddb70d409de 100644
--- a/src/main/java/org/olat/core/gui/components/chart/RadarChartComponentRenderer.java
+++ b/src/main/java/org/olat/core/gui/components/chart/RadarChartComponentRenderer.java
@@ -30,6 +30,7 @@ import org.olat.core.gui.render.StringOutput;
 import org.olat.core.gui.render.URLBuilder;
 import org.olat.core.gui.translator.Translator;
 import org.olat.core.util.StringHelper;
+import org.olat.core.util.filter.FilterFactory;
 
 /**
  * 
@@ -118,7 +119,9 @@ public class RadarChartComponentRenderer extends DefaultComponentRenderer {
 		
 		sb.append("[");
 		for(int i=0; i<numOfSeries; i++) {
-			String name = StringHelper.escapeJavaScript(axis.get(i));
+			String name = axis.get(i);
+			name = FilterFactory.getHtmlTagAndDescapingFilter().filter(name);
+			name = StringHelper.escapeJavaScript(name);
 			sb.append("\"").append(name).append("\"");
 			if(i < (numOfSeries - 1)) {
 				sb.append(",");
@@ -132,7 +135,9 @@ public class RadarChartComponentRenderer extends DefaultComponentRenderer {
 		
 		sb.append("[");
 		for(int i=0; i<numOfSeries; i++) {
-			String name = StringHelper.escapeJavaScript(series.get(i).getName());
+			String name = series.get(i).getName();
+			name = FilterFactory.getHtmlTagAndDescapingFilter().filter(name);
+			name = StringHelper.escapeJavaScript(name);
 			sb.append("\"").append(name).append("\"");
 			if(i < (numOfSeries - 1)) {
 				sb.append(",");
@@ -152,7 +157,9 @@ public class RadarChartComponentRenderer extends DefaultComponentRenderer {
 			int numOfPoints = points.size();
 			for(int j=0; j<numOfPoints; j++) {
 				RadarPoint point = points.get(j);
-				String axis = StringHelper.escapeJavaScript(point.getAxis());
+				String axis = point.getAxis();
+				axis = FilterFactory.getHtmlTagAndDescapingFilter().filter(axis);
+				axis = StringHelper.escapeJavaScript(axis);
 				sb.append("{axis:\"").append(axis).append("\",value:").append(point.getValue()).append("}");
 				if(j < (numOfPoints - 1)) {
 					sb.append(",");
-- 
GitLab