From a2caebbb62c435d99139269c612acec8ce52aac4 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Wed, 6 Dec 2017 13:49:02 -0500
Subject: [PATCH] Fix XSS in usage log viewer

Fixes https://jira.coreos.com/browse/QS-82
---
 static/js/services/string-builder-service.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/static/js/services/string-builder-service.js b/static/js/services/string-builder-service.js
index 949fd424a..f59598f72 100644
--- a/static/js/services/string-builder-service.js
+++ b/static/js/services/string-builder-service.js
@@ -117,8 +117,8 @@ angular.module('quay').factory('StringBuilderService', ['$sce', 'UtilService', f
       value = value.substr(0, 12);
     }
 
-    var safe = UtilService.escapeHtmlString(value);
-    var markedDown = UtilService.getMarkedDown(value);
+    var safe = UtilService.textToSafeHtml(value);
+    var markedDown = UtilService.getMarkedDown(safe);
     markedDown = markedDown.substr('<p>'.length, markedDown.length - '<p></p>'.length);
 
     var icon = fieldIcons[key];
@@ -132,7 +132,7 @@ angular.module('quay').factory('StringBuilderService', ['$sce', 'UtilService', f
 
     var codeTag = opt_codetag || 'code';
     description = description.replace('{' + prefix + key + '}',
-      '<' + codeTag + ' title="' + safe  + '">' + markedDown + '</' + codeTag + '>');
+      '<' + codeTag + '>' + markedDown + '</' + codeTag + '>');
 
     return description
   }