From 7df66015132d63441fb3f205b0b86bd204dba587 Mon Sep 17 00:00:00 2001
From: toddn <tcnichol@illinois.edu>
Date: Sun, 28 Apr 2024 15:34:03 -0500
Subject: [PATCH] escaping the javascript

---
 app/api/Users.scala | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/api/Users.scala b/app/api/Users.scala
index 866e8e9c2..72d25cae7 100644
--- a/app/api/Users.scala
+++ b/app/api/Users.scala
@@ -1,5 +1,6 @@
 package api
 
+import org.apache.commons.lang.StringEscapeUtils
 import javax.inject.Inject
 import play.api.libs.json._
 import play.api.Play.current
@@ -61,10 +62,12 @@ class Users @Inject()(users: UserService, events: EventService) extends ApiContr
   /** @deprecated use id instead of email */
   def updateName(id: UUID, firstName: String, lastName: String) = PermissionAction(Permission.EditUser, Some(ResourceRef(ResourceRef.user, id))) { implicit request =>
     implicit val user = request.user
-    users.updateUserField(id, "firstName", firstName)
-    users.updateUserField(id, "lastName", lastName)
-    users.updateUserField(id, "fullName", firstName + " " + lastName)
-    users.updateUserFullName(id, firstName + " " + lastName)
+    val escapedFirstName = StringEscapeUtils.escapeJavaScript(firstName)
+    val escapedLastName = StringEscapeUtils.escapeJavaScript(lastName)
+    users.updateUserField(id, "firstName", escapedFirstName)
+    users.updateUserField(id, "lastName", escapedLastName)
+    users.updateUserField(id, "fullName", escapedFirstName + " " + escapedLastName)
+    users.updateUserFullName(id, escapedFirstName + " " + escapedLastName)
 
     Ok(Json.obj("status" -> "success"))
   }