Fix reflected XSS vulnerabilities in some views

app/controllers/todos_controller.rb

@@ -863,8 +863,10 @@ def get_params_for_tag_view
     end
 
     @single_tag = @tag_expr.size == 1 && @tag_expr[0].size == 1
-    @tag_name = @tag_expr[0][0]
-    @tag_title = @single_tag ? @tag_name : tag_title(@tag_expr)
+
+    # These are used in the templates, sanitise to prevent XSS.
+    @tag_name = sanitize(@tag_expr[0][0])
+    @tag_title = sanitize(@single_tag ? @tag_name : tag_title(@tag_expr))
   end
 
   def filter_format_for_tag_view

app/views/layouts/application.html.erb

@@ -7,14 +7,14 @@
     <%= javascript_include_tag "application" %>
     <%= csrf_meta_tags %>
     <script type="text/javascript">
-      var SOURCE_VIEW = '<%=@source_view%>';
-      var AUTH_TOKEN = '<%= raw(protect_against_forgery? ? form_authenticity_token.inspect : "") %>'
-      var TAG_NAME = '<%= @tag_name ? @tag_name : "" %>'
-      var GROUP_VIEW_BY = '<%= @group_view_by ? @group_view_by : "" %>'
+      var SOURCE_VIEW = '<%=j @source_view %>';
+      var AUTH_TOKEN = '<%=j raw(protect_against_forgery? ? form_authenticity_token.inspect : "") %>'
+      var TAG_NAME = '<%=j @tag_name ? @tag_name : "" %>'
+      var GROUP_VIEW_BY = '<%=j @group_view_by ? @group_view_by : "" %>'
       var defaultContexts = <%= default_contexts_for_autocomplete.html_safe rescue '{}' %>;
       var defaultTags = <%= default_tags_for_autocomplete.html_safe rescue '{}' %>;
-      var dateFormat = '<%= date_format_for_date_picker %>';
-      var weekStart = '<%= current_user.prefs.week_starts %>';
+      var dateFormat = '<%=j date_format_for_date_picker %>';
+      var weekStart = '<%=j current_user.prefs.week_starts %>';
       function relative_to_root(path) { return '<%= root_url %>'+path; };
       <% if current_user.prefs.refresh != 0 -%>
         setup_auto_refresh(<%= current_user.prefs["refresh"].to_i*60000 %>);