Escape JS string better.

2 files changed, 23 insertions, 1 deletions

diff --git a/perllib/FixMyStreet/App/View/Web.pm b/perllib/FixMyStreet/App/View/Web.pm
index 358e280c3..df2d0ac20 100644
--- a/perllib/FixMyStreet/App/View/Web.pm
+++ b/perllib/FixMyStreet/App/View/Web.pm
@@ -21,6 +21,9 @@ __PACKAGE__->config(
         'loc', 'nget', 'tprintf', 'display_crosssell_advert', 'prettify_epoch',
         'add_links',
     ],
+    FILTERS => {
+        escape_js => \&escape_js,
+    },
 );
 
 =head1 NAME
@@ -120,5 +123,24 @@ sub add_links {
     return $text;
 }
 
+=head2 escape_js
+
+Used to escape strings that are going to be put inside JavaScript.
+
+=cut
+
+sub escape_js {
+    my $text = shift;
+    my %lookup = (
+        '\\' => 'u005c',
+        '"'  => 'u0022',
+        "'"  => 'u0027',
+        '<'  => 'u003c',
+        '>'  => 'u003e',
+    );
+    $text =~ s/([\\"'<>])/\\$lookup{$1}/g;
+    return $text;
+}
+
 1;
 
diff --git a/templates/web/default/maps/pins_js.html b/templates/web/default/maps/pins_js.html
index d6d750390..355fffaba 100644
--- a/templates/web/default/maps/pins_js.html
+++ b/templates/web/default/maps/pins_js.html
@@ -1,4 +1,4 @@
 [ [% FOR pin IN map.pins -%]
-    [ [% pin.latitude %], [% pin.longitude %], '[% pin.colour %]', '[% pin.id %]', "[% pin.title | html %]" ]
+    [ [% pin.latitude %], [% pin.longitude %], '[% pin.colour %]', '[% pin.id %]', "[% pin.title | escape_js %]" ]
     [%- IF !loop.last %],[% END %]
 [% END %] ]