From 45068cd299bc6268abb0da0dec07eb39bde5dfce Mon Sep 17 00:00:00 2001
From: vrockai <vrockai@redhat.com>
Date: Tue, 26 Nov 2013 14:11:47 +0100
Subject: [PATCH] KEYCLOAK-170 escape HTML chars in Dialog service

---
 .../resources/META-INF/resources/admin/js/services.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js
index c0e3c6a9f4..7c209d035a 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js
@@ -15,9 +15,16 @@ module.service('Auth', function() {
 
 module.service('Dialog', function($dialog) {
 	var dialog = {};
+
+	var escapeHtml = function(str) {
+		var div = document.createElement('div');
+		div.appendChild(document.createTextNode(str));
+		return div.innerHTML;
+	};
+
 	dialog.confirmDelete = function(name, type, success) {
-		var title = 'Delete ' + type.charAt(0).toUpperCase() + type.slice(1);
-		var msg = '<span class="primary">Are you sure you want to permanently delete the ' + type + ' "' + name + '"?</span>' +
+		var title = 'Delete ' + escapeHtml(type.charAt(0).toUpperCase() + type.slice(1));
+		var msg = '<span class="primary">Are you sure you want to permanently delete the ' + escapeHtml(type) + ' "' + escapeHtml(name) + '"?</span>' +
             '<span>This action can\'t be undone.</span>';
 		var btns = [ {
 			result : 'cancel',