[PATCH] [Bug 721768] Escape labels for jqplot charts

Aaron Lindsay Sun, 12 Jan 2014 11:47:16 -0800

I've attached a patch to fix an issue I encountered when generating jqplot
reports with account names containing quotes and angle brackets. The patch
defines jqplot-escape-string in report/report-system/html-jqplot.scm and uses
it in html-*chart.scm to escape the necessary strings.


I have also created a bugzilla entry and uploaded the patch there:
https://bugzilla.gnome.org/show_bug.cgi?id=721768. I am happy to revise it as
needed.

Thanks!

-Aaron

>From f0ee393bc866ac95dee6600a63dbff19447ff764 Mon Sep 17 00:00:00 2001
From: Aaron Lindsay <aa...@aclindsay.com>
Date: Tue, 7 Jan 2014 23:49:46 -0500
Subject: [PATCH] [Bug 721768] Escape labels for jqplot charts

Escape quotes and HTML characters while generating HTML/JavaScript for
the jqplot charts to avoid JavaScript errors.

Author: Aaron Lindsay <aa...@aclindsay.com>
---
 src/report/report-system/html-barchart.scm  | 8 +++++---
 src/report/report-system/html-jqplot.scm    | 9 +++++++++
 src/report/report-system/html-linechart.scm | 8 +++++---
 src/report/report-system/html-piechart.scm  | 8 +++++---
 4 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/src/report/report-system/html-barchart.scm b/src/report/report-system/html-barchart.scm
index c215c52..59a493b 100644
--- a/src/report/report-system/html-barchart.scm
+++ b/src/report/report-system/html-barchart.scm
@@ -355,7 +355,7 @@
                          (push series-index)
                          (push ");\n")
                          (push "series.push({ label: \"")
-                         (push label)
+                         (push (jqplot-escape-string label))
                          (push "\"});\n\n")))
          ; Use a unique chart-id for each chart. This prevents chart
          ; clashed on multi-column reports
@@ -447,12 +447,14 @@
             (if title
               (begin 
                 (push "  options.title = \"")
-                (push title) (push "\";\n")))
+                (push (jqplot-escape-string title))
+                (push "\";\n")))
 
             (if subtitle
               (begin 
                 (push "  options.title += \" (")
-                (push subtitle) (push ")\";\n")))
+                (push (jqplot-escape-string subtitle))
+                (push ")\";\n")))
 
             (if (and (string? x-label) (> (string-length x-label) 0))
               (begin 
diff --git a/src/report/report-system/html-jqplot.scm b/src/report/report-system/html-jqplot.scm
index c2ba9f0..23a2d24 100644
--- a/src/report/report-system/html-jqplot.scm
+++ b/src/report/report-system/html-jqplot.scm
@@ -14,3 +14,12 @@
         "\" />\n"
     ))
 
+(define (jqplot-escape-string s1)
+    ;; Escape single and double quotes and backslashes
+    (set! s1 (regexp-substitute/global #f "\\\\" s1 'pre "\\\\" 'post))
+    (set! s1 (regexp-substitute/global #f "'" s1 'pre "\\'" 'post))
+    (set! s1 (regexp-substitute/global #f "\"" s1 'pre "\\\"" 'post))
+    ;; Escape HTML special characters
+    (set! s1 (regexp-substitute/global #f "&" s1 'pre "&amp;" 'post))
+    (set! s1 (regexp-substitute/global #f "<" s1 'pre "&lt;" 'post))
+    (regexp-substitute/global #f ">" s1 'pre "&gt;" 'post))
diff --git a/src/report/report-system/html-linechart.scm b/src/report/report-system/html-linechart.scm
index b1a92f0..b6e2779 100644
--- a/src/report/report-system/html-linechart.scm
+++ b/src/report/report-system/html-linechart.scm
@@ -387,7 +387,7 @@
                          (push series-index)
                          (push ");\n")
                          (push "series.push({ label: \"")
-                         (push label)
+                         (push (jqplot-escape-string label))
                          (push "\"});\n\n")))
          ; Use a unique chart-id for each chart. This prevents chart
          ; clashed on multi-column reports
@@ -489,12 +489,14 @@
             (if title
               (begin 
                 (push "  options.title = \"")
-                (push title) (push "\";\n")))
+                (push (jqplot-escape-string title))
+                (push "\";\n")))
 
             (if subtitle
               (begin 
                 (push "  options.title += \" (")
-                (push subtitle) (push ")\";\n")))
+                (push (jqplot-escape-string subtitle))
+                (push ")\";\n")))
 
             (if (and (string? x-label) (> (string-length x-label) 0))
               (begin 
diff --git a/src/report/report-system/html-piechart.scm b/src/report/report-system/html-piechart.scm
index 6fd79ab..d7b00c8 100644
--- a/src/report/report-system/html-piechart.scm
+++ b/src/report/report-system/html-piechart.scm
@@ -229,7 +229,7 @@
                 (for-each 
                  (lambda (datum label)
                    (push "  data.push(['")
-                   (push label)
+                   (push (jqplot-escape-string label))
                    (push "',")
                    (push datum)
                    (push "]);\n"))
@@ -247,11 +247,13 @@
             (if title
               (begin 
                 (push "  options.title = \"")
-                (push title) (push "\";\n")))
+                (push (jqplot-escape-string title))
+                (push "\";\n")))
             (if subtitle
               (begin 
                 (push "  options.title += \" (")
-                (push subtitle) (push ")\";\n")))
+                (push (jqplot-escape-string subtitle))
+                (push ")\";\n")))
 
             (push "$.jqplot.config.enablePlugins = true;\n")
             (push "var plot = $.jqplot('")(push chart-id)(push "', [data], options);\n")
-- 
1.8.5.2

_______________________________________________
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

[PATCH] [Bug 721768] Escape labels for jqplot charts

Reply via email to