diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index dc65edabd..bcccfd29b 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -1029,6 +1029,11 @@ module ApplicationHelper
content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options))
end
+ # Helper to render JSON in views
+ def raw_json(arg)
+ arg.to_json.to_s.gsub('/', '\/').html_safe
+ end
+
def back_url
url = params[:back_url]
if url.nil? && referer = request.env['HTTP_REFERER']
diff --git a/app/views/queries/_filters.html.erb b/app/views/queries/_filters.html.erb
index 80b06c10a..f9e371b7e 100644
--- a/app/views/queries/_filters.html.erb
+++ b/app/views/queries/_filters.html.erb
@@ -1,12 +1,12 @@
<%= javascript_tag do %>
-var operatorLabels = <%= raw Query.operators_labels.to_json %>;
-var operatorByType = <%= raw Query.operators_by_filter_type.to_json %>;
-var availableFilters = <%= raw query.available_filters_as_json.to_json %>;
-var labelDayPlural = "<%= raw escape_javascript(l(:label_day_plural)) %>";
+var operatorLabels = <%= raw_json Query.operators_labels %>;
+var operatorByType = <%= raw_json Query.operators_by_filter_type %>;
+var availableFilters = <%= raw_json query.available_filters_as_json %>;
+var labelDayPlural = <%= raw_json l(:label_day_plural) %>;
$(document).ready(function(){
initFilters();
<% query.filters.each do |field, options| %>
- addFilter("<%= field %>", <%= raw query.operator_for(field).to_json %>, <%= raw query.values_for(field).to_json %>);
+ addFilter("<%= field %>", <%= raw_json query.operator_for(field) %>, <%= raw_json query.values_for(field) %>);
<% end %>
});
<% end %>
diff --git a/public/javascripts/application.js b/public/javascripts/application.js
index 7346257dc..b135df6a5 100644
--- a/public/javascripts/application.js
+++ b/public/javascripts/application.js
@@ -163,9 +163,9 @@ function buildFilterRow(field, operator, values) {
case "date":
case "date_past":
tr.find('td.values').append(
- '' +
- ' ' +
- ' '+labelDayPlural+''
+ '' +
+ ' ' +
+ ' '+labelDayPlural+''
);
$('#values_'+fieldId+'_1').val(values[0]).datepicker(datepickerOptions);
$('#values_'+fieldId+'_2').val(values[1]).datepicker(datepickerOptions);
@@ -174,15 +174,15 @@ function buildFilterRow(field, operator, values) {
case "string":
case "text":
tr.find('td.values').append(
- ''
+ ''
);
$('#values_'+fieldId).val(values[0]);
break;
case "integer":
case "float":
tr.find('td.values').append(
- '' +
- ' '
+ '' +
+ ' '
);
$('#values_'+fieldId+'_1').val(values[0]);
$('#values_'+fieldId+'_2').val(values[1]);
diff --git a/test/functional/queries_controller_test.rb b/test/functional/queries_controller_test.rb
index 5ffc31f8a..aae7e93bc 100644
--- a/test/functional/queries_controller_test.rb
+++ b/test/functional/queries_controller_test.rb
@@ -273,4 +273,12 @@ class QueriesControllerTest < ActionController::TestCase
assert_redirected_to :controller => 'issues', :action => 'index', :project_id => 'ecookbook', :set_filter => 1, :query_id => nil
assert_nil Query.find_by_id(1)
end
+
+ def test_backslash_should_be_escaped_in_filters
+ @request.session[:user_id] = 2
+ get :new, :subject => 'foo/bar'
+ assert_response :success
+ assert_template 'new'
+ assert_include 'addFilter("subject", "=", ["foo\/bar"]);', response.body
+ end
end