From c4d74d8768fbc42149fea343d514f48453f437f1 Mon Sep 17 00:00:00 2001
From: Beth Skurrie <beth@bethesque.com>
Date: Mon, 1 Apr 2019 15:32:45 +1100
Subject: [PATCH] fix: sanitize html in matrix

---
 lib/pact_broker/ui/views/matrix/show.haml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/pact_broker/ui/views/matrix/show.haml b/lib/pact_broker/ui/views/matrix/show.haml
index 7190a7eba..5d6cbc829 100644
--- a/lib/pact_broker/ui/views/matrix/show.haml
+++ b/lib/pact_broker/ui/views/matrix/show.haml
@@ -17,14 +17,14 @@
     - if defined?(errors) && errors.any?
       - errors.each do | error |
         %div.alert.alert-danger
-          = error
+          = escape_html(error)
 
     %form{action: '/matrix', onsubmit:'return onSubmit()'}
       - selectors.each_with_index do | selector, index |
         .selector
           %label{for: "pacticipant#{index}"}
             Pacticipant name
-          %input{name: 'q[]pacticipant', id: "pacticipant1#{index}", value: selector.pacticipant_name}
+          %input{name: 'q[]pacticipant', id: "pacticipant1#{index}", value: escape_html(selector.pacticipant_name)}
 
           .input-group
 
@@ -41,9 +41,9 @@
               %option{ value: 'specify-all-tagged', selected: selector.specify_all_tagged }
                 All versions with tag...
 
-            %input{name: 'q[]version', type: 'text', id: "pacticipant#{index}_version", class: 'version', value: selector.pacticipant_version_number}
+            %input{name: 'q[]version', type: 'text', id: "pacticipant#{index}_version", class: 'version', value: escape_html(selector.pacticipant_version_number)}
 
-            %input{name: 'q[]tag', type: 'text', id: "pacticipant#{index}_tag", class: 'tag', value: selector.tag}
+            %input{name: 'q[]tag', type: 'text', id: "pacticipant#{index}_tag", class: 'tag', value: escape_html(selector.tag)}
 
             %input{name: 'q[]latest', value: 'true', hidden: true, class: 'latest-flag'}