Stefan Saasen avatar Stefan Saasen committed bb82217

Escape the room names on the space configuration page

Rename the JSON property on the action anc excplicitly disable the automatic HTML encoding for the JSON string.
Explcitily encode the Room attributes in the Javascript template.

Comments (0)

Files changed (2)


 import com.atlassian.labs.hipchat.components.ConfigurationManager;
 import com.atlassian.labs.hipchat.components.HipChatProxyClient;
 import com.atlassian.labs.hipchat.utils.InvalidAuthTokenException;
-import com.atlassian.plugin.webresource.WebResourceUrlProvider;
 import com.opensymphony.xwork.Action;
 import org.apache.commons.lang.StringUtils;
     private final ConfigurationManager configurationManager;
     private String roomId;
-    private String roomsHtml;
+    private String roomJson;
     private boolean successFullUpdate;
     public ViewSpaceConfigurationAction(HipChatProxyClient hipChatProxyClient, ConfigurationManager configurationManager)
             return Action.INPUT;
         } else {
             try {
-                setRoomsHtml(hipChatProxyClient.getRooms().toString());
+                setRoomJson(hipChatProxyClient.getRooms().toString());
             } catch (InvalidAuthTokenException e) {
                 return Action.ERROR;
         return roomId;
-    public String getRoomsHtml() {
-        return roomsHtml;
+    public String getRoomJson() {
+        return roomJson;
-    public void setRoomsHtml(String roomsHtml) {
-        this.roomsHtml = roomsHtml;
+    public void setRoomJson(String roomJson) {
+        this.roomJson = roomJson;
     public boolean isSuccessFullUpdate() {


-#* @vtlvariable name="action" type="com.atlassian.confluence.spaces.actions.EditSpaceEntryAction" *#
+#* @vtlvariable name="action" type="com.atlassian.labs.hipchat.actions.ViewSpaceConfigurationAction" *#
 <script id="rooms-tmpl" type="text/tmpl">
     <% _.each(rooms, function(room){ %>
     <div class="checkbox">
-        <input class="checkbox" type="checkbox" <%= room.checked %> name="roomId" value="<%= room.room_id %>">
-        <label for="<%= room.room_id %>"><%= %></label>
+        <input class="checkbox" type="checkbox" <%= room.checked %> name="roomId" value="<%- room.room_id %>">
+        <label for="<%- room.room_id %>"><%- %></label>
     <% }) %>
+## Don't escape the JSON string
+#set($roomJsonHtml = $action.roomJson)
 <script type="text/javascript">
     var hcRoomIds = "$action.roomId",
-            hcRooms = $action.roomsHtml;
+            hcRooms = $roomJsonHtml;
 <form id="hipchat-form" action="doconfigure-hipchat.action" method="post"
       class="aui edit-space-details">
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.