From 2c67efb23c9f81e756cc0d11fed08c3763ac0f58 Mon Sep 17 00:00:00 2001
From: datagear <datagear@163.com>
Date: Mon, 7 Sep 2020 13:25:30 +0800
Subject: [PATCH] =?UTF-8?q?=E8=A7=A3=E5=86=B3=E6=95=B0=E6=8D=AE=E9=9B=86?=
 =?UTF-8?q?=E9=A2=84=E8=A7=88=E3=80=81=E8=A1=A8=E6=A0=BC=E5=9B=BE=E8=A1=A8?=
 =?UTF-8?q?=E5=B1=95=E7=A4=BA=E6=97=B6=E6=B2=A1=E6=9C=89=E5=A4=84=E7=90=86?=
 =?UTF-8?q?=E6=95=B0=E6=8D=AEXSS=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../static/script/datagear-chartFactory.js    | 32 +++++++++++++++++++
 .../static/script/datagear-chartSupport.js    |  2 +-
 .../dataSet/include/dataSet_form_js.ftl       |  2 +-
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/datagear-web/src/main/resources/org/datagear/web/webapp/static/script/datagear-chartFactory.js b/datagear-web/src/main/resources/org/datagear/web/webapp/static/script/datagear-chartFactory.js
index 7d70af01..6ab91ac9 100644
--- a/datagear-web/src/main/resources/org/datagear/web/webapp/static/script/datagear-chartFactory.js
+++ b/datagear-web/src/main/resources/org/datagear/web/webapp/static/script/datagear-chartFactory.js
@@ -2278,6 +2278,38 @@
 		return "dataGearClientElement" + nextIdSeq;
 	};
 	
+
+	/**
+	 * 将给定值按照HTML规范转义，如果不是字符串，直接返回原值。
+	 */
+	chartFactory.escapeHtml = function(value)
+	{
+		if(typeof(value) != "string")
+			return value;
+		
+		var epn = "";
+		
+		for(var i=0; i<value.length; i++)
+		{
+			var c = value.charAt(i);
+			
+			if(c == '<')
+				epn += '&lt;';
+			else if(c == '>')
+				epn += '&gt;';
+			else if(c == '&')
+				epn += '&amp;';
+			else if(c == '"')
+				epn += '&quot;';
+			else if(c == '\'')
+				epn += '&#39;';
+			else
+				epn += c;
+		}
+		
+		return epn;
+	};
+	
 	/**
 	 * 记录异常日志。
 	 * 
diff --git a/datagear-web/src/main/resources/org/datagear/web/webapp/static/script/datagear-chartSupport.js b/datagear-web/src/main/resources/org/datagear/web/webapp/static/script/datagear-chartSupport.js
index 17dcdd33..9b82d3e5 100644
--- a/datagear-web/src/main/resources/org/datagear/web/webapp/static/script/datagear-chartSupport.js
+++ b/datagear-web/src/main/resources/org/datagear/web/webapp/static/script/datagear-chartSupport.js
@@ -3665,7 +3665,7 @@
 				//单元格内容渲染函数
 				renderValue: function(value, type, row, meta)
 				{
-					return value;
+					return chartFactory.escapeHtml(value);
 				}
 			},
 			
diff --git a/datagear-web/src/main/resources/org/datagear/web/webapp/view/freemarker/analysis/dataSet/include/dataSet_form_js.ftl b/datagear-web/src/main/resources/org/datagear/web/webapp/view/freemarker/analysis/dataSet/include/dataSet_form_js.ftl
index e7d1d7f9..c25cc7b0 100644
--- a/datagear-web/src/main/resources/org/datagear/web/webapp/view/freemarker/analysis/dataSet/include/dataSet_form_js.ftl
+++ b/datagear-web/src/main/resources/org/datagear/web/webapp/view/freemarker/analysis/dataSet/include/dataSet_form_js.ftl
@@ -792,7 +792,7 @@ po.previewOptions.url = "...";
 					var name = dataSetProperties[colIndex].name;
 					
 					if(setValue === undefined)
-						return row[name];
+						return chartFactory.escapeHtml(row[name]);
 					else
 						row[name] = setValue;
 				},