diff --git a/frontend/src/components/common/notice-item.js b/frontend/src/components/common/notice-item.js
index 57cad6515b..71dd5ff39b 100644
--- a/frontend/src/components/common/notice-item.js
+++ b/frontend/src/components/common/notice-item.js
@@ -41,14 +41,13 @@ class NoticeItem extends React.Component {
let groupStaff = detail.group_staff_name;
// group name does not support special characters
- let userHref = siteRoot + 'profile/' + detail.group_staff_email + '/';
+ let userHref = siteRoot + 'profile/' + encodeURIComponent(detail.group_staff_email) + '/';
let groupHref = siteRoot + 'group/' + detail.group_id + '/';
let groupName = detail.group_name;
let notice = gettext('User {user_link} has added you to {group_link}');
- let userLink = '' + groupStaff + '';
- let groupLink = '' + groupName + '';
-
+ let userLink = '' + Utils.HTMLescape(groupStaff) + '';
+ let groupLink = '' + Utils.HTMLescape(groupName) + '';
notice = notice.replace('{user_link}', userLink);
notice = notice.replace('{group_link}', groupLink);
diff --git a/frontend/src/pages/dashboard/activity-item.js b/frontend/src/pages/dashboard/activity-item.js
index 8de5ef0179..ad9af5c3b6 100644
--- a/frontend/src/pages/dashboard/activity-item.js
+++ b/frontend/src/pages/dashboard/activity-item.js
@@ -90,7 +90,7 @@ class ActivityItem extends Component {
}
} else if (item.obj_type == 'files') {
let fileURL = `${siteRoot}lib/${item.repo_id}/file${Utils.encodePath(item.path)}`;
- let fileLink = `${item.name}`;
+ let fileLink = `${Utils.HTMLescape(item.name)}`;
let fileCount = item.createdFilesCount - 1;
let firstLine = gettext('{file} and {n} other files')
.replace('{file}', fileLink)
diff --git a/frontend/src/pages/sys-admin/admin-logs/operation-logs.js b/frontend/src/pages/sys-admin/admin-logs/operation-logs.js
index ff49bde5b7..2644db236b 100644
--- a/frontend/src/pages/sys-admin/admin-logs/operation-logs.js
+++ b/frontend/src/pages/sys-admin/admin-logs/operation-logs.js
@@ -138,15 +138,15 @@ class Item extends Component {
detailText = gettext('Created library {library_name} with {owner} as its owner')
.replace('{owner}', '' + detail.owner + '');
if (isPro && enableSysAdminViewRepo) {
- detailText = detailText.replace('{library_name}', '' + detail.name + '');
+ detailText = detailText.replace('{library_name}', '' + Utils.HTMLescape(detail.name) + '');
} else {
- detailText = detailText.replace('{library_name}', '' + detail.name + '');
+ detailText = detailText.replace('{library_name}', '' + Utils.HTMLescape(detail.name) + '');
}
return detailText;
case 'repo_delete':
detailText = gettext('Deleted library {library_name}')
- .replace('{library_name}', '' + detail.name + '');
+ .replace('{library_name}', '' + Utils.HTMLescape(detail.name) + '');
return detailText;
case 'repo_transfer':
@@ -154,9 +154,9 @@ class Item extends Component {
.replace('{user_from}', '' + detail.from + '')
.replace('{user_to}', '' + detail.to + '');
if (isPro && enableSysAdminViewRepo) {
- detailText = detailText.replace('{library_name}', '' + detail.name + '');
+ detailText = detailText.replace('{library_name}', '' + Utils.HTMLescape(detail.name) + '');
} else {
- detailText = detailText.replace('{library_name}', '' + detail.name + '');
+ detailText = detailText.replace('{library_name}', '' + Utils.HTMLescape(detail.name) + '');
}
return detailText;