dashboard: escape html/or use .text instead of .html where needed

circle/dashboard/static/dashboard/dashboard.js

@@ -428,7 +428,7 @@ function generateVmHTML(pk, name, host, icon, _status, fav, is_last) {
   return '<a href="/dashboard/vm/' + pk + '/" class="list-group-item' +
          (is_last ? ' list-group-item-last' : '') + '">' +      
         '<span class="index-vm-list-name">' + 
-          '<i class="fa ' + icon + '" title="' + _status + '"></i> ' + name +
+          '<i class="fa ' + icon + '" title="' + _status + '"></i> ' + safe_tags_replace(name) +
         '</span>' + 
         '<small class="text-muted"> ' + host + '</small>' +
         '<div class="pull-right dashboard-vm-favourite" data-vm="' + pk + '">' +  
@@ -441,14 +441,14 @@ function generateVmHTML(pk, name, host, icon, _status, fav, is_last) {
 
 function generateGroupHTML(url, name, is_last) {
   return '<a href="' + url + '" class="list-group-item real-link' + (is_last ? " list-group-item-last" : "") +'">'+
-         '<i class="fa fa-users"></i> '+ name +
+         '<i class="fa fa-users"></i> '+ safe_tags_replace(name) +
          '</a>';
 }
 
 function generateNodeHTML(name, icon, _status, url, is_last) {
   return '<a href="' + url + '" class="list-group-item real-link' + (is_last ? ' list-group-item-last' : '') + '">' +
         '<span class="index-node-list-name">' +
-        '<i class="fa ' + icon + '" title="' + _status + '"></i> ' + name +
+        '<i class="fa ' + icon + '" title="' + _status + '"></i> ' + safe_tags_replace(name) +
         '</span>' +
         '<div style="clear: both;"></div>' +
         '</a>';
@@ -456,7 +456,7 @@ function generateNodeHTML(name, icon, _status, url, is_last) {
 
 function generateNodeTagHTML(name, icon, _status, label , url) {
   return '<a href="' + url + '" class="label ' + label + '" >' +
-        '<i class="fa ' + icon + '" title="' + _status + '"></i> ' + name +
+        '<i class="fa ' + icon + '" title="' + _status + '"></i> ' + safe_tags_replace(name) +
         '</a> ';
 }
 
@@ -678,3 +678,18 @@ function getParameterByName(name) {
         results = regex.exec(location.search);
     return results == null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));
 }
+
+
+var tagsToReplace = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;'
+};
+
+function replaceTag(tag) {
+    return tagsToReplace[tag] || tag;
+}
+
+function safe_tags_replace(str) {
+    return str.replace(/[&<>]/g, replaceTag);
+}

circle/dashboard/static/dashboard/disk-list.js

-$(function() {
-  $(".disk-list-disk-percentage").each(function() {
-    var disk = $(this).data("disk-pk");
-    var element = $(this);
-    refreshDisk(disk, element);
-  });
-});
-
-function refreshDisk(disk, element) {
-    $.get("/dashboard/disk/" + disk + "/status/", function(result) {
-      if(result.percentage == null || result.failed == "True") {
-        location.reload(); 
-      } else {
-        var diff = result.percentage - parseInt(element.html());
-        var refresh = 5 - diff;
-        refresh = refresh < 1 ? 1 : (result.percentage == 0 ? 1 : refresh);
-        if(isNaN(refresh)) refresh = 2; // this should not happen
-
-        element.html(result.percentage);
-        setTimeout(function() {refreshDisk(disk, element)}, refresh * 1000);
-      }
-    });
-}

circle/dashboard/static/dashboard/group-details.js

@@ -14,7 +14,7 @@
       data: {'new_name': name},
       headers: {"X-CSRFToken": getCookie('csrftoken')},
       success: function(data, textStatus, xhr) {
-        $("#group-details-h1-name").html(data['new_name']).show();
+        $("#group-details-h1-name").text(data['new_name']).show();
         $('#group-details-rename').hide();
         // addMessage(data['message'], "success");
       },

circle/dashboard/static/dashboard/node-details.js

@@ -15,7 +15,7 @@ $(function() {
       data: {'new_name': name},
       headers: {"X-CSRFToken": getCookie('csrftoken')},
       success: function(data, textStatus, xhr) {
- 	$("#node-details-h1-name").html(data['new_name']).show();
+	$("#node-details-h1-name").text(data['new_name']).show();
         $('#node-details-rename').hide();
         // addMessage(data['message'], "success");
       },

circle/dashboard/static/dashboard/node-list.js

@@ -12,40 +12,6 @@ $(function() {
 	tr.removeClass('danger');
   }
 
-  /* rename */
-  $("#node-list-rename-button, .node-details-rename-button").click(function() {
-    $("#node-list-column-name", $(this).closest("tr")).hide();
-    $("#node-list-rename", $(this).closest("tr")).css('display', 'inline');
-  });
-
-  /* rename ajax */
-  $('.node-list-rename-submit').click(function() {
-    var row = $(this).closest("tr")
-    var name = $('#node-list-rename-name', row).val();
-    var url = '/dashboard/node/' + row.children("td:first-child").text().replace(" ", "") + '/';
-    $.ajax({
-      method: 'POST',
-      url: url,
-      data: {'new_name': name},
-      headers: {"X-CSRFToken": getCookie('csrftoken')},
-      success: function(data, textStatus, xhr) {
-        
-        $("#node-list-column-name", row).html(
-          $("<a/>", {
-            'class': "real-link",
-            href: "/dashboard/node/" + data['node_pk'] + "/",
-            text: data['new_name']
-          })
-        ).show();
-        $('#node-list-rename', row).hide();
-        // addMessage(data['message'], "success");
-      },
-      error: function(xhr, textStatus, error) {
-	 addMessage("Error during renaming!", "danger");
-      }
-    });
-    return false;
-  });
 
   function statuschangeSuccess(tr){
    var tspan=tr.children('.enabled').children();