# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2017-10-20 12:11:15
# Node ID 2a2643df4b546bc570515e2aa9dbb0fe64f8b2c6
# Parent  0bf8e4db69ca159cb51a2bbc47eb3c33e67c3a3d

comments: escape file-paths on commenting to prevent html breakage

diff --git a/rhodecode/public/js/src/rhodecode/comments.js b/rhodecode/public/js/src/rhodecode/comments.js
--- a/rhodecode/public/js/src/rhodecode/comments.js
+++ b/rhodecode/public/js/src/rhodecode/comments.js
@@ -670,7 +670,7 @@ var CommentsController = function() {
           var lineno = self.getLineNumber(node);
           // create a new HTML from template
           var tmpl = $('#cb-comment-inline-form-template').html();
-          tmpl = tmpl.format(f_path, lineno);
+          tmpl = tmpl.format(escapeHtml(f_path), lineno);
           $form = $(tmpl);
 
           var $comments = $td.find('.inline-comments');