brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From henev...@apache.org
Subject [2/4] brooklyn-ui git commit: HTML and URI escape more things in the UI
Date Sun, 13 Nov 2016 16:03:24 GMT
HTML and URI escape more things in the UI


Project: http://git-wip-us.apache.org/repos/asf/brooklyn-ui/repo
Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-ui/commit/992965e0
Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-ui/tree/992965e0
Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-ui/diff/992965e0

Branch: refs/heads/master
Commit: 992965e047d7261fb16d5465c6c7f7a8283adb85
Parents: 3637aed
Author: Alex Heneveld <alex.heneveld@cloudsoftcorp.com>
Authored: Tue Nov 8 11:09:30 2016 +0000
Committer: Alex Heneveld <alex.heneveld@cloudsoftcorp.com>
Committed: Tue Nov 8 12:25:53 2016 +0000

----------------------------------------------------------------------
 .../webapp/assets/js/view/activity-details.js   | 21 ++++++++--------
 .../webapp/assets/js/view/add-child-invoke.js   |  2 +-
 .../assets/js/view/application-add-wizard.js    |  5 ++--
 .../webapp/assets/js/view/application-tree.js   | 10 ++++----
 src/main/webapp/assets/js/view/catalog.js       | 25 ++++++++++----------
 .../webapp/assets/js/view/change-name-invoke.js |  4 ++--
 src/main/webapp/assets/js/view/editor.js        |  2 +-
 .../webapp/assets/js/view/entity-activities.js  | 16 ++++++-------
 src/main/webapp/assets/js/view/entity-config.js |  4 ++--
 .../webapp/assets/js/view/entity-details.js     |  2 +-
 .../webapp/assets/js/view/entity-policies.js    |  2 +-
 .../webapp/assets/js/view/entity-sensors.js     |  4 ++--
 .../webapp/assets/js/view/entity-summary.js     | 12 +++++-----
 src/main/webapp/assets/js/view/ha-summary.js    |  2 +-
 .../webapp/assets/js/view/location-wizard.js    | 14 +++++------
 .../assets/js/view/policy-config-invoke.js      |  2 +-
 src/main/webapp/assets/js/view/policy-new.js    |  2 +-
 src/main/webapp/assets/js/view/script-groovy.js |  2 +-
 .../create-step-template-entry.html             |  2 +-
 .../app-add-wizard/deploy-location-option.html  |  4 ++--
 .../tpl/app-add-wizard/deploy-location-row.html |  2 +-
 .../app-add-wizard/required-config-entry.html   |  6 ++---
 .../assets/tpl/apps/activity-details.html       |  4 ++--
 .../assets/tpl/apps/activity-full-details.html  |  2 +-
 .../tpl/apps/activity-row-details-main.html     |  8 +++----
 .../assets/tpl/apps/activity-row-details.html   |  4 ++--
 .../assets/tpl/apps/change-name-modal.html      |  2 +-
 .../webapp/assets/tpl/apps/effector-modal.html  |  4 ++--
 .../webapp/assets/tpl/apps/effector-row.html    |  6 ++---
 .../assets/tpl/apps/entity-not-found.html       |  2 +-
 src/main/webapp/assets/tpl/apps/param.html      |  4 ++--
 .../assets/tpl/apps/policy-config-row.html      |  8 +++----
 .../tpl/apps/policy-parameter-config.html       |  6 ++---
 src/main/webapp/assets/tpl/apps/policy-row.html | 12 +++++-----
 src/main/webapp/assets/tpl/apps/summary.html    | 10 ++++----
 src/main/webapp/assets/tpl/apps/tree-item.html  | 18 +++++++-------
 .../assets/tpl/catalog/details-entity.html      |  8 +++----
 .../assets/tpl/catalog/details-generic.html     | 10 ++++----
 .../assets/tpl/catalog/details-location.html    |  4 ++--
 .../webapp/assets/tpl/catalog/nav-entry.html    |  2 +-
 src/main/webapp/assets/tpl/home/app-entry.html  |  4 ++--
 .../webapp/assets/tpl/home/server-caution.html  |  2 +-
 src/main/webapp/assets/tpl/lib/basic-modal.html |  6 ++---
 .../lib/config-key-type-value-input-pair.html   |  4 ++--
 44 files changed, 138 insertions(+), 137 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/activity-details.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/activity-details.js b/src/main/webapp/assets/js/view/activity-details.js
index fa8b552..c933ab4 100644
--- a/src/main/webapp/assets/js/view/activity-details.js
+++ b/src/main/webapp/assets/js/view/activity-details.js
@@ -84,7 +84,7 @@ define([
             else if (this.options.tabView)
                 this.task = this.options.tabView.collection.get(this.taskId);
             if (!this.taskLink && this.task) this.taskLink = this.task.get('links').self;
-            if (!this.taskLink && this.taskId) this.taskLink = "v1/activities/"+this.taskId;;
+            if (!this.taskLink && this.taskId) this.taskLink = "v1/activities/"+encodeURIComponent(this.taskId);
             
             this.tabView = this.options.tabView || null;
             
@@ -142,7 +142,7 @@ define([
             this.updateFields('displayName', 'entityDisplayName', 'id', 'description', 'currentStatus', 'blockingDetails');
             this.updateFieldWith('blockingTask',
                 function(v) { 
-                    return "<a class='showDrillDownBlockerOfAnchor handy' link='"+_.escape(v.link)+"' id='"+v.metadata.id+"'>"+
+                    return "<a class='showDrillDownBlockerOfAnchor handy' link='"+encodeURI(v.link)+"' id='"+_.escape(v.metadata.id)+"'>"+
                         that.displayTextForLinkedTask(v)+"</a>" })
             this.updateFieldWith('result',
                 function(v) {
@@ -190,7 +190,7 @@ define([
                                 "<span class='activity-label'>" +
                                 _.escape(name) +
                                 "</span><span>" +
-                                "<a href='" + stream.link + "'>download</a>" +
+                                "<a href='" + encodeURI(stream.link) + "'>download</a>" +
                                 (stream.metadata["sizeText"] ? " (" + _.escape(stream.metadata["sizeText"]) + ")" : "") +
                                 "</span></div>";
                     }
@@ -198,7 +198,7 @@ define([
                 });
 
             this.updateFieldWith('submittedByTask',
-                function(v) { return "<a class='showDrillDownSubmittedByAnchor handy' link='"+_.escape(v.link)+"' id='"+v.metadata.id+"'>"+
+                function(v) { return "<a class='showDrillDownSubmittedByAnchor handy' link='"+encodeURI(v.link)+"' id='"+_.escape(v.metadata.id)+"'>"+
                     that.displayTextForLinkedTask(v)+"</a>" })
 
             if (this.task.get("children").length==0)
@@ -315,12 +315,12 @@ define([
             var v = this.task.get(field)
             if (v !== undefined && v != null && 
                     (typeof v !== "object" || _.size(v) > 0)) {
-                this.$('.updateField-'+field, this.$el).html( f(v) );
-                this.$('.ifField-'+field, this.$el).show();
+                this.$('.updateField-'+_.escape(field), this.$el).html( f(v) );
+                this.$('.ifField-'+_.escape(field), this.$el).show();
             } else {
                 // blank if there is no value
-                this.$('.updateField-'+field).empty();
-                this.$('.ifField-'+field).hide();
+                this.$('.updateField-'+_.escape(field)).empty();
+                this.$('.ifField-'+_.escape(field)).hide();
             }
             return v
         },
@@ -345,7 +345,6 @@ define([
             this.showDrillDownTask("blocker of", $a.attr("link"), $a.attr("id"))
         },
         showDrillDownTask: function(relation, newTaskLink, newTaskId, newTask) {
-//            log("activities deeper drill down - "+newTaskId +" / "+newTaskLink)
             var that = this;
             
             var newBreadcrumbs = [ relation + ' ' +
@@ -369,7 +368,7 @@ define([
             }
             
             if (Backbone.history && (!this.tabView || !this.tabView.openingQueuedTasks)) {
-                Backbone.history.navigate(Backbone.history.fragment+"/"+"subtask"+"/"+this.taskId);
+                Backbone.history.navigate(Backbone.history.fragment+"/"+"subtask"+"/"+encodeURIComponent(this.taskId));
             }
 
             var $t = parent.closest('.slide-panel');
@@ -401,7 +400,7 @@ define([
 
             if (Backbone.history) {
                 var fragment = Backbone.history.fragment
-                var thisLoc = fragment.indexOf("/subtask/"+this.taskId);
+                var thisLoc = fragment.indexOf("/subtask/"+encodeURIComponent(this.taskId));
                 if (thisLoc>=0)
                     Backbone.history.navigate( fragment.substring(0, thisLoc) );
             }

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/add-child-invoke.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/add-child-invoke.js b/src/main/webapp/assets/js/view/add-child-invoke.js
index 1105afe..4f9ccf6 100644
--- a/src/main/webapp/assets/js/view/add-child-invoke.js
+++ b/src/main/webapp/assets/js/view/add-child-invoke.js
@@ -54,7 +54,7 @@ define([
         },
         showError: function (message) {
             this.$(".child-add-error-container").removeClass("hide");
-            this.$(".child-add-error-message").html(message);
+            this.$(".child-add-error-message").html(_.escape(message));
         }
 
     });

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/application-add-wizard.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/application-add-wizard.js b/src/main/webapp/assets/js/view/application-add-wizard.js
index c656491..0902eec 100644
--- a/src/main/webapp/assets/js/view/application-add-wizard.js
+++ b/src/main/webapp/assets/js/view/application-add-wizard.js
@@ -165,7 +165,7 @@ define([
 
             var currentStepObj = this.steps[this.currentStep]
             this.title.html(_.template(currentStepObj.title)({appName: name}));
-            this.instructions.html(currentStepObj.instructions)
+            this.instructions.html(_.escape(currentStepObj.instructions))
             this.currentView = currentStepObj.view
             
             // delegate to sub-views !!
@@ -641,8 +641,9 @@ define([
             if (this.model.catalogEntityData==null) {
                 this.renderStaticConfig(null)
             } else if (this.model.catalogEntityData=="LOAD") {
+                console.log("loading", this.model.spec.get("type"));
                 this.renderStaticConfig("LOADING")
-                $.get('/v1/catalog/entities/'+this.model.spec.get("type"), {}, function (result) {
+                $.get('/v1/catalog/entities/'+encodeURIComponent(this.model.spec.get("type")), {}, function (result) {
                     that.model.catalogEntityData = result
                     that.renderStaticConfig(that.model.catalogEntityData)
                 })

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/application-tree.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/application-tree.js b/src/main/webapp/assets/js/view/application-tree.js
index 0d9f4fb..779a09e 100644
--- a/src/main/webapp/assets/js/view/application-tree.js
+++ b/src/main/webapp/assets/js/view/application-tree.js
@@ -30,19 +30,19 @@ define([
     var treeItemTemplate = _.template(TreeItemHtml);
 
     var findAllTreeboxes = function(id, $scope) {
-        return $('.tree-box[data-entity-id="' + id + '"]', $scope);
+        return $('.tree-box[data-entity-id="' + _.escape(id) + '"]', $scope);
     };
 
     var findRootTreebox = function(id, $scope) {
-        return $('.lozenge-app-tree-wrapper', $scope).children('.tree-box[data-entity-id="' + id + '"]', this.$el);
+        return $('.lozenge-app-tree-wrapper', $scope).children('.tree-box[data-entity-id="' + _.escape(id) + '"]', this.$el);
     };
 
     var findChildTreebox = function(id, $parentTreebox) {
-        return $parentTreebox.children('.node-children').children('.tree-box[data-entity-id="' + id + '"]');
+        return $parentTreebox.children('.node-children').children('.tree-box[data-entity-id="' + _.escape(id) + '"]');
     };
 
     var findMasterTreebox = function(id, $scope) {
-        return $('.tree-box[data-entity-id="' + id + '"]:not(.indirect)', $scope);
+        return $('.tree-box[data-entity-id="' + _.escape(id) + '"]:not(.indirect)', $scope);
     };
 
     var sortKeyOfIdName = function(id, name) {
@@ -75,7 +75,7 @@ define([
         var sortKey = sortKeyOfIdName(id, name);
         // Create the wrapper.
         var $treebox = $(
-                '<div data-entity-id="'+id+'" data-sort-key="'+sortKey+'" data-depth="'+depth+'" ' +
+                '<div data-entity-id="'+_.escape(id)+'" data-sort-key="'+_.escape(sortKey)+'" data-depth="'+_.escape(depth)+'" ' +
                 'class="tree-box toggler-group' +
                     (indirect ? " indirect" : "") +
                     (depth == 0 ? " outer" : " inner " + (depth % 2 ? " depth-odd" : " depth-even")+

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/catalog.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/catalog.js b/src/main/webapp/assets/js/view/catalog.js
index 9ab17e2..d5a0064 100644
--- a/src/main/webapp/assets/js/view/catalog.js
+++ b/src/main/webapp/assets/js/view/catalog.js
@@ -65,7 +65,7 @@ define([
         renderEmpty: function(extraMessage) {
             this.$el.html("<div class='catalog-details'>" +
                 "<h3>Select an entry on the left</h3>" +
-                (extraMessage ? extraMessage : "") +
+                _.escape(extraMessage ? extraMessage : "") +
                 "</div>");
             return this;
         },
@@ -124,6 +124,7 @@ define([
             }
         },
         composerDeployItem: function(event) {
+            console.log("composer deploy", event.currentTarget);
             Backbone.history.navigate("/v1/editor/app/"+ encodeURIComponent($(event.currentTarget).data("name")),
                 {trigger: true});
         },        
@@ -187,7 +188,7 @@ define([
             if (initialView) {
                 if (initialView == "entity") initialView = "yaml";
                 
-                this.$("[data-context='"+initialView+"']").addClass("active");
+                this.$("[data-context='"+_.escape(initialView)+"']").addClass("active");
                 this.showFormForType(initialView)
             }
             return this;
@@ -215,7 +216,7 @@ define([
             this.context = type;
             if (type == "location") {
                 this.contextView = newLocationForm(this, this.options.parent);
-                Backbone.history.navigate("/v1/catalog/new/" + type);
+                Backbone.history.navigate("/v1/catalog/new/" + encodeURIComponent(type));
                 this.$("#catalog-add-form").html(this.contextView.$el);
             }else{
                 // go to composer
@@ -232,7 +233,7 @@ define([
             },
             onFinish: function(wizard, data) {
                 addViewParent.loadAccordionItem("locations", data.id);
-                addView.clearWithHtml( "Added: "+data.id+". Loading..." );
+                addView.clearWithHtml( "Added: "+_.escape(data.id)+". Loading..." );
             }
         }).render();
     }
@@ -240,7 +241,7 @@ define([
     var Catalog = Backbone.Collection.extend({
         modelX: Backbone.Model.extend({
           url: function() {
-            return "/v1/catalog/" + this.name + "/" + this.id + "?allVersions=true";
+            return "/v1/catalog/" + encodeURIComponent(this.name) + "/" + encodeURIComponent(this.id) + "?allVersions=true";
           }
         }),
         initialize: function(models, options) {
@@ -254,14 +255,14 @@ define([
             var that = this; 
             var model = this.model.extend({
               url: function() {
-                return "/v1/catalog/" + that.name + "/" + this.id.split(":").join("/");
+                return "/v1/catalog/" + encodeURIComponent(that.name) + "/" + encodeURIComponent(this.id).split(encodeURIComponent(":")).join("/");
               }
             });
             _.bindAll(this);
             this.model = model;
         },
         url: function() {
-            return "/v1/catalog/" + this.name+"?allVersions=true";
+            return "/v1/catalog/" + encodeURIComponent(this.name) + "?allVersions=true";
         }
     });
 
@@ -274,8 +275,8 @@ define([
             'click .accordion-nav-row': 'showDetails'
         },
         bodyTemplate: _.template(
-            "<div class='accordion-head capitalized'><%= name %></div>" +
-            "<div class='accordion-body' style='display: <%= display %>'></div>"),
+            "<div class='accordion-head capitalized'><%- name %></div>" +
+            "<div class='accordion-body' style='display: <%- display %>'></div>"),
 
         initialize: function() {
             _.bindAll(this);
@@ -353,7 +354,7 @@ define([
                 activeDetailsView = this.name;
                 this.activeCid = cid;
                 var model = this.collection.get(cid);
-                Backbone.history.navigate("v1/catalog/" + this.name + "/" + model.id);
+                Backbone.history.navigate("v1/catalog/" + encodeURIComponent(this.name) + "/" + encodeURIComponent(model.id));
                 this.options.onItemSelected(activeDetailsView, model, $event);
             }
         },
@@ -540,7 +541,7 @@ define([
                         }
                         // TODO could look in collection for any starting with ID
                         if (model && !noRedirect) {
-                            Backbone.history.navigate("/v1/catalog/" + kind + "/" + id);
+                            Backbone.history.navigate("/v1/catalog/" + encodeURIComponent(kind) + "/" + encodeURIComponent(id));
                             activeDetailsView = kind;
                             accordion.activeCid = model.cid;
                             accordion.options.onItemSelected(kind, model);
@@ -557,7 +558,7 @@ define([
             if ($target) {
                 $target.addClass("active");
             } else {
-                this.$("[data-cid=" + model.cid + "]").addClass("active");
+                this.$("[data-cid='" + _.escape(model.cid) + "']").addClass("active");
             }
             var newView = new CatalogItemDetailsView({
                 model: model,

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/change-name-invoke.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/change-name-invoke.js b/src/main/webapp/assets/js/view/change-name-invoke.js
index 30c2277..1289b83 100644
--- a/src/main/webapp/assets/js/view/change-name-invoke.js
+++ b/src/main/webapp/assets/js/view/change-name-invoke.js
@@ -26,7 +26,7 @@ define([
     return Backbone.View.extend({
         template: _.template(ChangeNameModalHtml),
         initialize: function() {
-            this.title = "Change Name of "+this.options.entity.get('name');
+            this.title = "Change Name of "+_.escape(this.options.entity.get('name'));
         },
         render: function() {
             this.$el.html(this.template({ name: this.options.entity.get('name') }));
@@ -51,7 +51,7 @@ define([
         },
         showError: function (message) {
             this.$(".change-name-error-container").removeClass("hide");
-            this.$(".change-name-error-message").html(message);
+            this.$(".change-name-error-message").html(_.escape(message));
         }
     });
 });

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/editor.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/editor.js b/src/main/webapp/assets/js/view/editor.js
index ef60250..53f12f3 100644
--- a/src/main/webapp/assets/js/view/editor.js
+++ b/src/main/webapp/assets/js/view/editor.js
@@ -122,7 +122,7 @@ define([
             }
         },
         refresh: function() {
-            $("#button-run", this.$el).html(this.mode==MODE_CATALOG ? "Add to Catalog" : "Deploy");
+            $("#button-run", this.$el).html(_.escape(this.mode==MODE_CATALOG ? "Add to Catalog" : "Deploy"));
             if (this.mode==MODE_CATALOG) {
                 $("#button-switch-catalog", this.$el).addClass('active')
                 $("#button-switch-app", this.$el).removeClass('active')

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/entity-activities.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/entity-activities.js b/src/main/webapp/assets/js/view/entity-activities.js
index 07dc948..e60196f 100644
--- a/src/main/webapp/assets/js/view/entity-activities.js
+++ b/src/main/webapp/assets/js/view/entity-activities.js
@@ -200,11 +200,11 @@ define([
                     link: that.model.getLinkByName("activities")+"/"+id,
                     updateOnly: updateOnly
                 })
-                $('tr#'+id).next().find('td.row-expansion').html(html)
-                $('tr#'+id).next().find('td.row-expansion').attr('id', id)
+                $('tr#'+_.escape(id)).next().find('td.row-expansion').html(html)
+                $('tr#'+_.escape(id)).next().find('td.row-expansion').attr('id', id)
             } else {
                 // just update
-                $('tr#'+id).next().find('.task-description').html(Util.escape(task.attributes.description))
+                $('tr#'+_.escape(id)).next().find('.task-description').html(Util.escape(task.attributes.description))
             }
             
             var html = _.template(ActivityRowDetailsMainHtml, { 
@@ -212,12 +212,12 @@ define([
                 link: that.model.getLinkByName("activities")+"/"+id,
                 updateOnly: updateOnly 
             })
-            $('tr#'+id).next().find('.expansion-main').html(html)
+            $('tr#'+_.escape(id)).next().find('.expansion-main').html(html)
             
             
             if (!updateOnly) {
-                $('tr#'+id).next().find('.row-expansion .opened-row-details').hide()
-                $('tr#'+id).next().find('.row-expansion .opened-row-details').slideDown(300)
+                $('tr#'+_.escape(id)).next().find('.row-expansion .opened-row-details').hide()
+                $('tr#'+_.escape(id)).next().find('.row-expansion .opened-row-details').slideDown(300)
             }
         },
         toggleFullDetail: function(evt) {
@@ -231,7 +231,7 @@ define([
         },
         showFullActivity: function(id) {
             id = this.selectedId
-            var $details = $("td.row-expansion#"+id+" .expansion-footer");
+            var $details = $("td.row-expansion#"+_.escape(id)+" .expansion-footer");
             var task = this.collection.get(id);
             var html = _.template(ActivityFullDetailsHtml, { task: task });
             $details.html(html);
@@ -240,7 +240,7 @@ define([
         },
         hideFullActivity: function(id) {
             id = this.selectedId
-            var $details = $("td.row-expansion#"+id+" .expansion-footer");
+            var $details = $("td.row-expansion#"+_.escape(id)+" .expansion-footer");
             $details.slideUp(100);
         }
     });

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/entity-config.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/entity-config.js b/src/main/webapp/assets/js/view/entity-config.js
index e377956..abf4178 100644
--- a/src/main/webapp/assets/js/view/entity-config.js
+++ b/src/main/webapp/assets/js/view/entity-config.js
@@ -98,7 +98,7 @@ define([
                                              actions = that.getConfigActions(configName);
                                          
                                          // NB: the row might not yet exist
-                                         var $row = $('tr[id="'+configName+'"]');
+                                         var $row = $('tr[id="'+_.escape(configName)+'"]');
                                          
                                          // datatables doesn't seem to expose any way to modify the html in place for a cell,
                                          // so we rebuild
@@ -111,7 +111,7 @@ define([
                                          }
                                          
                                          if (actions.open)
-                                             result = "<a href='"+actions.open+"'>" + result + "</a>";
+                                             result = "<a href='"+encodeURI(actions.open)+"'>" + result + "</a>";
                                          if (escapedValue==null || escapedValue.length < 3)
                                              // include whitespace so we can click on it, if it's really small
                                              result += "&nbsp;&nbsp;&nbsp;&nbsp;";

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/entity-details.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/entity-details.js b/src/main/webapp/assets/js/view/entity-details.js
index 54e6d1b..2562380 100644
--- a/src/main/webapp/assets/js/view/entity-details.js
+++ b/src/main/webapp/assets/js/view/entity-details.js
@@ -111,7 +111,7 @@ define([
 //                log("could not find entity href for tab");
             }
             if (this.options.preselectTab) {
-                var tabLink = this.$('a[data-target="#'+this.options.preselectTab+'"]');
+                var tabLink = this.$('a[data-target="#'+_.escape(this.options.preselectTab)+'"]');
                 var showFn = function() { tabLink.tab('show', { duration: 0 }); };
                 if (optionalParent) showFn();
                 else _.defer(showFn);

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/entity-policies.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/entity-policies.js b/src/main/webapp/assets/js/view/entity-policies.js
index 74ba885..941949b 100644
--- a/src/main/webapp/assets/js/view/entity-policies.js
+++ b/src/main/webapp/assets/js/view/entity-policies.js
@@ -88,7 +88,7 @@ define([
                         summary:policy
                     }));
                     if (that.activePolicy) {
-                        that.$("#policies-table tr[id='"+that.activePolicy+"']").addClass("selected");
+                        that.$("#policies-table tr[id='"+_.escape(that.activePolicy)+"']").addClass("selected");
                         that.showPolicyConfig(that.activePolicy);
                         that.refreshPolicyConfig();
                     } else {

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/entity-sensors.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/entity-sensors.js b/src/main/webapp/assets/js/view/entity-sensors.js
index 0b5b7a0..5be3d26 100644
--- a/src/main/webapp/assets/js/view/entity-sensors.js
+++ b/src/main/webapp/assets/js/view/entity-sensors.js
@@ -106,7 +106,7 @@ define([
                                              actions = that.getSensorActions(sensorName);
                                          
                                          // NB: the row might not yet exist
-                                         var $row = $('tr[id="'+sensorName+'"]');
+                                         var $row = $('tr[id="'+_.escape(sensorName)+'"]');
                                          
                                          // datatables doesn't seem to expose any way to modify the html in place for a cell,
                                          // so we rebuild
@@ -119,7 +119,7 @@ define([
                                          }
                                          
                                          if (actions.open)
-                                             result = "<a href='"+actions.open+"'>" + result + "</a>";
+                                             result = "<a href='"+encodeURI(actions.open)+"'>" + result + "</a>";
                                          if (escapedValue==null || escapedValue.length < 3)
                                              // include whitespace so we can click on it, if it's really small
                                              result += "&nbsp;&nbsp;&nbsp;&nbsp;";

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/entity-summary.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/entity-summary.js b/src/main/webapp/assets/js/view/entity-summary.js
index 51a7c33..5af69af 100644
--- a/src/main/webapp/assets/js/view/entity-summary.js
+++ b/src/main/webapp/assets/js/view/entity-summary.js
@@ -118,7 +118,7 @@ define([
         updateStatusIcon: function() {
             var statusIconInfo = ViewUtils.computeStatusIconInfo(this.$(".serviceUp .value").html(), this.$(".status .value").html());
             if (statusIconInfo.url) {
-                this.$('#status-icon').html('<img src="'+statusIconInfo.url+'" '+
+                this.$('#status-icon').html('<img src="'+encodeURI(statusIconInfo.url)+'" '+
                         'style="max-width: 64px; max-height: 64px;"/>');
             } else {
                 this.$('#status-icon').html('');
@@ -160,15 +160,15 @@ define([
                 }
             }
             if (lastFailedTask) {
-                var path = "activities/subtask/"+lastFailedTask.id;
+                var path = "activities/subtask/"+encodeURIComponent(lastFailedTask.id);
                 var base = this.model.getLinkByName("self");
                 if (problemDetails)
                     problemDetails = problemDetails + "<br style='line-height: 24px;'>";
                 problemDetails = problemDetails + "<b>"+_.escape("Failure running task ")
                     +"<a class='open-tab' tab-target='"+path+"'" +
-                    		"href='#"+base+"/"+path+"'>" +
+                    		"href='#"+encodeURI(base)+"/"+path+"'>" +
             				"<i>"+_.escape(lastFailedTask.attributes.displayName)+"</i> "
-                    +"("+lastFailedTask.id+")</a>: </b>"+
+                    +"("+_.escape(lastFailedTask.id)+")</a>: </b>"+
                     _.escape(lastFailedTask.attributes.result);
             }
             if (!that.problemTasksLoaded && this.options.tasks) {
@@ -191,9 +191,9 @@ define([
                         "<br style='line-height: 24px;'>" +
                         "No Brooklyn-managed task failures reported. " +
                         "For more information, investigate " +
-                            "<a class='open-tab' tab-target='sensors' href='#"+base+"/sensors'>sensors</a> and " +
+                            "<a class='open-tab' tab-target='sensors' href='#"+encodeURI(base)+"/sensors'>sensors</a> and " +
                             "streams on recent " +
-                            "<a class='open-tab' tab-target='activities' href='#"+base+"/activities'>activity</a>, " +
+                            "<a class='open-tab' tab-target='activities' href='#"+encodeURI(base)+"/activities'>activity</a>, " +
                             "as well as external systems and logs where necessary.").show();
             }
         },

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/ha-summary.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/ha-summary.js b/src/main/webapp/assets/js/view/ha-summary.js
index 250977e..5235543 100644
--- a/src/main/webapp/assets/js/view/ha-summary.js
+++ b/src/main/webapp/assets/js/view/ha-summary.js
@@ -123,7 +123,7 @@ define([
             this.$(".timestamp").each(function(index, t) {
                 t = $(t);
                 var timestamp = t.data("timestamp");
-                t.html(moment(timestamp).fromNow());
+                t.html(_.escape(moment(timestamp).fromNow()));
             });
         }
     });

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/location-wizard.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/location-wizard.js b/src/main/webapp/assets/js/view/location-wizard.js
index b3454c7..8828101 100644
--- a/src/main/webapp/assets/js/view/location-wizard.js
+++ b/src/main/webapp/assets/js/view/location-wizard.js
@@ -107,7 +107,7 @@ define([
             var actionContainer = this.$('.location-wizard-actions').empty();
             if (this.step === 2 || (this.type === 'byon' && this.step === 1)) {
                 _.each(this.actions, function(element, index, list) {
-                    actionContainer.append($('<button>').addClass('btn btn-mini btn-info location-wizard-action ' + element.class).html(element.label));
+                    actionContainer.append($('<button>').addClass('btn btn-mini btn-info location-wizard-action ' + element.class).html(_.escape(element.label)));
                 });
             }
 
@@ -289,7 +289,7 @@ define([
 
         onDisplayHelp: function(event) {
             var $elm = this.$(event.currentTarget);
-            this.$('.help-text').html($elm.data('help')).show();
+            this.$('.help-text').html(_.escape($elm.data('help'))).show();
         },
 
         onHideHelp: function(event) {
@@ -483,7 +483,7 @@ define([
             } else if (field.type === 'select') {
                 $input = $('<select>');
                 _.each(field.values, function(value, key) {
-                    $input.append($('<option>').attr('value', key).html(value));
+                    $input.append($('<option>').attr('value', key).html(_.escape(value)));
                 });
                 $('<input>').attr('name', field.id + '-other').insertAfter($input);
             }
@@ -499,7 +499,7 @@ define([
                 .append($('<label>')
                     .addClass('control-label deploy-label')
                     .attr('for', field.id)
-                    .html(field.label))
+                    .html(_.escape(field.label)))
                 .append($input
                     .val(value)
                     .data('list', _.isBoolean(field.list) ? field.list : false)
@@ -519,7 +519,7 @@ define([
             }
 
             if (_.has(field, 'help')) {
-                $div.append($('<p>').addClass('help-block').html($('<small>').html(field.help)));
+                $div.append($('<p>').addClass('help-block').html($('<small>').html(_.escape(field.help))));
             }
 
             if (field.type === 'text' && field.id === 'spec') {
@@ -588,7 +588,7 @@ define([
                 if (_.isObject($(this).data('require-deps'))) {
                     var require = true;
                     _.each($(this).data('require-deps'), function(values, key) {
-                        require = require && _.contains(values, that.$('[name=' + key + ']').val());
+                        require = require && _.contains(values, that.$('[name=' + _.escape(key) + ']').val());
                     });
                     $(this).data('require', require);
                 }
@@ -597,7 +597,7 @@ define([
                 if (_.isObject($(this).data('disable-deps'))) {
                     var disable = true;
                     _.each($(this).data('disable-deps'), function(values, key) {
-                        disable = disable && _.contains(values, that.$('[name=' + key + ']').val());
+                        disable = disable && _.contains(values, that.$('[name=' + _.escape(key) + ']').val());
                     });
                     if (disable) {
                         $(this).attr('disabled', 'disabled').val('');

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/policy-config-invoke.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/policy-config-invoke.js b/src/main/webapp/assets/js/view/policy-config-invoke.js
index 36b5d9f..4b68cf2 100644
--- a/src/main/webapp/assets/js/view/policy-config-invoke.js
+++ b/src/main/webapp/assets/js/view/policy-config-invoke.js
@@ -66,7 +66,7 @@ define([
 
         showError: function (message) {
             this.$(".policy-add-error-container").removeClass("hide");
-            this.$(".policy-add-error-message").html(message);
+            this.$(".policy-add-error-message").html(_.escape(message));
         },
 
         title: function () {

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/policy-new.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/policy-new.js b/src/main/webapp/assets/js/view/policy-new.js
index c190f78..d883f34 100644
--- a/src/main/webapp/assets/js/view/policy-new.js
+++ b/src/main/webapp/assets/js/view/policy-new.js
@@ -75,7 +75,7 @@ define([
 
         showError: function (message) {
             this.$(".policy-add-error-container").removeClass("hide");
-            this.$(".policy-add-error-message").html(message);
+            this.$(".policy-add-error-message").html(_.escape(message));
         }
     });
 

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/js/view/script-groovy.js
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/js/view/script-groovy.js b/src/main/webapp/assets/js/view/script-groovy.js
index 045e4f1..3a5ee0d 100644
--- a/src/main/webapp/assets/js/view/script-groovy.js
+++ b/src/main/webapp/assets/js/view/script-groovy.js
@@ -51,7 +51,7 @@ define([
         },
         loadExample: function() {
             $(".input textarea").val(
-                    'import static org.apache.brooklyn.entity.software.base.Entities.*\n'+
+                    'import static org.apache.brooklyn.core.entity.Entities.*\n'+
                     '\n'+
                     'println "Last result: "+last\n'+
                     'data.exampleRunCount = (data.exampleRunCount ?: 0) + 1\n'+

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/app-add-wizard/create-step-template-entry.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/app-add-wizard/create-step-template-entry.html b/src/main/webapp/assets/tpl/app-add-wizard/create-step-template-entry.html
index 3234c2d..7e35e83 100644
--- a/src/main/webapp/assets/tpl/app-add-wizard/create-step-template-entry.html
+++ b/src/main/webapp/assets/tpl/app-add-wizard/create-step-template-entry.html
@@ -21,7 +21,7 @@ under the License.
 <div class="template-lozenge frame" id="<%- id %>" data-type="<%- type %>" data-name="<%- name %>" data-yaml="<%- planYaml %>">
     <% if (iconUrl) { %>
     <div class="icon">
-        <img src="<%- iconUrl %>" alt="(icon)" />
+        <img src="<%= encodeURI(iconUrl) %>" alt="(icon)" />
     </div>
     <% } %>
     <div class="blurb">

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-option.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-option.html b/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-option.html
index 6611618..421da3a 100644
--- a/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-option.html
+++ b/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-option.html
@@ -18,6 +18,6 @@ specific language governing permissions and limitations
 under the License.
 -->
 
-<option value="<%= typeof id !== 'undefined' ? id : url /* both add app wizard and effector (eg addRegion) should now use id, but url left just in case */ %>">
-    <span class="provider"><%= name %></span>
+<option value="<%= typeof id !== 'undefined' ? _.escape(id) : encodeURI(url) /* both add app wizard and effector (eg addRegion) should now use id, but url left just in case */ %>">
+    <span class="provider"><%- name %></span>
 </option>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-row.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-row.html b/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-row.html
index bb41b44..88e6098 100644
--- a/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-row.html
+++ b/src/main/webapp/assets/tpl/app-add-wizard/deploy-location-row.html
@@ -18,7 +18,7 @@ specific language governing permissions and limitations
 under the License.
 -->
 
-<div id="location-row-<%= rowId %>" rowId="<%= rowId %>" initialValue="<%= initialValue %>" class="location-selector-row">
+<div id="location-row-<%- rowId %>" rowId="<%- rowId %>" initialValue="<%- initialValue %>" class="location-selector-row">
     <select class="select-location" style="margin:4px 0 4px 0; width:80%"></select>
     <% if (rowId > 0) { %>
         <button id="remove-app-location" class="btn btn-info btn-mini" type="button"><i class="icon-minus-sign"></i></button>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/app-add-wizard/required-config-entry.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/app-add-wizard/required-config-entry.html b/src/main/webapp/assets/tpl/app-add-wizard/required-config-entry.html
index 45c8770..c0ec750 100644
--- a/src/main/webapp/assets/tpl/app-add-wizard/required-config-entry.html
+++ b/src/main/webapp/assets/tpl/app-add-wizard/required-config-entry.html
@@ -19,8 +19,8 @@ under the License.
 -->
 
 <tr class="controls app-add-wizard-config-entry">
-    <td><% if (data.label) { %><%= data.label %><% } else { %><%= data.name %><% } %>
-    <input id="key" type="text" class="input-medium" name="key" value="<%= data.name %>" style="display: none;">
+    <td><% if (data.label) { %><%- data.label %><% } else { %><%- data.name %><% } %>
+    <input id="key" type="text" class="input-medium" name="key" value="<%- data.name %>" style="display: none;">
     &nbsp;&nbsp;&nbsp;
     </td>
     <td> 
@@ -34,7 +34,7 @@ under the License.
             element = null;
         for (var i = 0; i < length; i++) {
           element = data.possibleValues[i]; %>
-        <option value="<%= element.value %>"<% if (data.defaultValue == element.value) { %> selected="selected"<% } %>><%= element.description %></option>
+        <option value="<%- element.value %>"<% if (data.defaultValue == element.value) { %> selected="selected"<% } %>><%- element.description %></option>
         <% } %>
       </select>
     <% } else { %>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/activity-details.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/activity-details.html b/src/main/webapp/assets/tpl/apps/activity-details.html
index 50773ed..e561622 100644
--- a/src/main/webapp/assets/tpl/apps/activity-details.html
+++ b/src/main/webapp/assets/tpl/apps/activity-details.html
@@ -27,7 +27,7 @@ under the License.
      </div>
      <% for (crumb in breadcrumbs) { %>
      <div style="margin-right: 20px; font-weight: 400; font-size: 80%; text-align: right; line-height: 14px;">
-        <%= breadcrumbs[crumb] %></span>
+        <%- breadcrumbs[crumb] %></span>
      </div>
      <% } %>
     </div>
@@ -52,7 +52,7 @@ under the License.
 
 <div class="activity-details-section activity-name-and-id">
     <span class="activity-label">Name:</span> <span class="updateField-displayName">Loading...</span> <br/>
-    <span class="activity-label">ID:</span> <span class="updateField-id"><%= taskId %></span>
+    <span class="activity-label">ID:</span> <span class="updateField-id"><%- taskId %></span>
 </div>
 <div class="activity-details-section activity-time">
     <!-- these are dynamic -->

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/activity-full-details.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/activity-full-details.html b/src/main/webapp/assets/tpl/apps/activity-full-details.html
index 065a080..def2f04 100644
--- a/src/main/webapp/assets/tpl/apps/activity-full-details.html
+++ b/src/main/webapp/assets/tpl/apps/activity-full-details.html
@@ -19,7 +19,7 @@ under the License.
 -->
 
 <div class="for-activity-textarea">
-    <textarea readonly="readonly" rows="1" style="width:100%;"><%= 
+    <textarea readonly="readonly" rows="1" style="width:100%;"><%- 
         task.attributes.detailedStatus 
     %></textarea>
 </div>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/activity-row-details-main.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/activity-row-details-main.html b/src/main/webapp/assets/tpl/apps/activity-row-details-main.html
index b804cfa..36fc3db 100644
--- a/src/main/webapp/assets/tpl/apps/activity-row-details-main.html
+++ b/src/main/webapp/assets/tpl/apps/activity-row-details-main.html
@@ -18,11 +18,11 @@ specific language governing permissions and limitations
 under the License.
 -->
 
-    <% if (task.startTimeUtc) { %>started <%= moment(task.startTimeUtc).fromNow() %><% 
-        if (task.submitTimeUtc != task.startTimeUtc) { %> (submitted <%= moment(task.submitTimeUtc).from(task.startTimeUtc, true) %> earlier)<% } 
-        if (task.endTimeUtc) { %>, finished after <%= moment(task.endTimeUtc).from(task.startTimeUtc, true) %> 
+    <% if (task.startTimeUtc) { %>started <%- moment(task.startTimeUtc).fromNow() %><% 
+        if (task.submitTimeUtc != task.startTimeUtc) { %> (submitted <%- moment(task.submitTimeUtc).from(task.startTimeUtc, true) %> earlier)<% } 
+        if (task.endTimeUtc) { %>, finished after <%- moment(task.endTimeUtc).from(task.startTimeUtc, true) %> 
         <% } else { %>, in progress
         <% } %>
     <% } else { %>
-       submitted <%= moment(task.submitTimeUtc).fromNow() %>, waiting
+       submitted <%- moment(task.submitTimeUtc).fromNow() %>, waiting
     <% } %>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/activity-row-details.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/activity-row-details.html b/src/main/webapp/assets/tpl/apps/activity-row-details.html
index f01b357..5eb1012 100644
--- a/src/main/webapp/assets/tpl/apps/activity-row-details.html
+++ b/src/main/webapp/assets/tpl/apps/activity-row-details.html
@@ -24,11 +24,11 @@ under the License.
     <div class="expansion-header">
       <div style="float: right;" class="toolbar-row">
         <!--  <a class="handy icon-book toggleLog"></a> -->
-        <a href="<%= link %>"><i class="handy icon-file showJson" rel="tooltip" title="JSON direct link"></i></a>
+        <a href="<%= encodeURI(link) %>"><i class="handy icon-file showJson" rel="tooltip" title="JSON direct link"></i></a>
         <i class="handy icon-inbox toggleFullDetail" rel="tooltip" title="Show even more detail"></i>
         <i class="handy icon-chevron-right showDrillDown" rel="tooltip" title="Drill into sub-tasks"></i>
       </div>
-      <b><i><span class="task-description"><%= task.description %></span></i></b>
+      <b><i><span class="task-description"><%- task.description %></span></i></b>
     </div>
     <div class="expansion-main">
     </div>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/change-name-modal.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/change-name-modal.html b/src/main/webapp/assets/tpl/apps/change-name-modal.html
index 49cec81..4339188 100644
--- a/src/main/webapp/assets/tpl/apps/change-name-modal.html
+++ b/src/main/webapp/assets/tpl/apps/change-name-modal.html
@@ -21,7 +21,7 @@ under the License.
     <h4 style="margin-bottom: 9px;">New Name</h4>
     <p>Change the display name of an entity</p>
 
-    <input type="text" id="new-name" style="width: 100%;" value="<%= name %>"></input>
+    <input type="text" id="new-name" style="width: 100%;" value="<%- name %>"></input>
 
     <div class="hide alert alert-error change-name-error-container" style="margin-top: 9px;">
         <strong>Error</strong>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/effector-modal.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/effector-modal.html b/src/main/webapp/assets/tpl/apps/effector-modal.html
index 97aafc7..0e49ccb 100644
--- a/src/main/webapp/assets/tpl/apps/effector-modal.html
+++ b/src/main/webapp/assets/tpl/apps/effector-modal.html
@@ -22,9 +22,9 @@ under the License.
 
 <div class="modal-header">
     <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-    <h3><%= entityName %> <%= name %></h3>
+    <h3><%- entityName %> <%- name %></h3>
 
-    <p><%= description %></p>
+    <p><%- description %></p>
 </div>
 
 <div class="modal-body">

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/effector-row.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/effector-row.html b/src/main/webapp/assets/tpl/apps/effector-row.html
index c6b1a7c..6b9b6d9 100644
--- a/src/main/webapp/assets/tpl/apps/effector-row.html
+++ b/src/main/webapp/assets/tpl/apps/effector-row.html
@@ -19,9 +19,9 @@ under the License.
 -->
 
 <tr>
-    <td class="effector-name"><%= name %></td>
-    <td><%= description %></td>
+    <td class="effector-name"><%- name %></td>
+    <td><%- description %></td>
     <td class="effector-action">
-        <button class="btn btn-info btn-mini show-effector-modal" id="<%=cid%>">Invoke</button>
+        <button class="btn btn-info btn-mini show-effector-modal" id="<%- cid %>">Invoke</button>
     </td>
 </tr>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/entity-not-found.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/entity-not-found.html b/src/main/webapp/assets/tpl/apps/entity-not-found.html
index 9c705ed..a987b1e 100644
--- a/src/main/webapp/assets/tpl/apps/entity-not-found.html
+++ b/src/main/webapp/assets/tpl/apps/entity-not-found.html
@@ -19,6 +19,6 @@ under the License.
 -->
 
 <div class="padded-div">
-    <p>Failed to load entity <strong><%= id %></strong>. Does it exist?</p>
+    <p>Failed to load entity <strong><%- id %></strong>. Does it exist?</p>
     <p>Try <a class="handy application-tree-refresh">reloading the applications list</a> or refreshing the page.</p>
 </div>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/param.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/param.html b/src/main/webapp/assets/tpl/apps/param.html
index eff2a9b..8513da2 100644
--- a/src/main/webapp/assets/tpl/apps/param.html
+++ b/src/main/webapp/assets/tpl/apps/param.html
@@ -19,8 +19,8 @@ under the License.
 -->
 
 <!--effector param template -->
-<tr class="effector-param" rel="tooltip" title="<%= description %></b><br><br><%= type %>" data-placement="left">
-    <td class="param-name"><%= name %></td>
+<tr class="effector-param" rel="tooltip" title="<%- description %></b><br><br><%- type %>" data-placement="left">
+    <td class="param-name"><%- name %></td>
     <!-- TODO: for now this just looks at the name of the parameter which is poor (and @Beta !). 
     Better will be to use a strongly-typed LocationCollection or (significantly better) supply a generic 
     server-side mechanism for populating options in some situations. -->

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/policy-config-row.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/policy-config-row.html b/src/main/webapp/assets/tpl/apps/policy-config-row.html
index cb2cdce..5651f9b 100644
--- a/src/main/webapp/assets/tpl/apps/policy-config-row.html
+++ b/src/main/webapp/assets/tpl/apps/policy-config-row.html
@@ -20,12 +20,12 @@ under the License.
 
 <tr class="policy-config-row">
     <td class="policy-config-name"><span
-        rel="tooltip" title="<b><%= description %></b><br/>(<%= type %>)" data-placement="left"
-        ><%= name %></span></td>
-    <td class="policy-config-value"><%= value %></td>
+        rel="tooltip" title="<b><%- description %></b><br/>(<%- type %>)" data-placement="left"
+        ><%- name %></span></td>
+    <td class="policy-config-value"><%- value %></td>
     <td class="policy-config-action">
         <% if (reconfigurable) { %>
-        <button class="btn btn-info btn-mini show-policy-config-modal" id="<%= cid %>">Edit</button>
+        <button class="btn btn-info btn-mini show-policy-config-modal" id="<%- cid %>">Edit</button>
         <% } %> 
     </td>
 </tr>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/policy-parameter-config.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/policy-parameter-config.html b/src/main/webapp/assets/tpl/apps/policy-parameter-config.html
index fa52331..0a8d910 100644
--- a/src/main/webapp/assets/tpl/apps/policy-parameter-config.html
+++ b/src/main/webapp/assets/tpl/apps/policy-parameter-config.html
@@ -17,12 +17,12 @@ specific language governing permissions and limitations
 under the License.
 -->
 <p>
-    <strong>Update the value for <%= name %></strong>
+    <strong>Update the value for <%- name %></strong>
 </p>
 <p>
-    <%= description %>
+    <%- description %>
 </p>
-<input id="policy-config-value" type="text" class="input-xlarge" name="value" value="<%= value %>" autofocus />
+<input id="policy-config-value" type="text" class="input-xlarge" name="value" value="<%- value %>" autofocus />
 
 <div class="hide alert alert-error policy-add-error-container" style="margin-top: 9px; margin-bottom: 0;">
     <strong>Error</strong>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/policy-row.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/policy-row.html b/src/main/webapp/assets/tpl/apps/policy-row.html
index 0799ac0..f3fcb1c 100644
--- a/src/main/webapp/assets/tpl/apps/policy-row.html
+++ b/src/main/webapp/assets/tpl/apps/policy-row.html
@@ -18,15 +18,15 @@ specific language governing permissions and limitations
 under the License.
 -->
 
-<tr class="policy-row" id="<%= cid %>">
-    <td class="policy-name"><%= name %></td>
-    <td><%= state %></td>
+<tr class="policy-row" id="<%- cid %>">
+    <td class="policy-name"><%- name %></td>
+    <td><%- state %></td>
     <td class="policy-action">
         <% if (state == "RUNNING") { %>
-        <button class="btn btn-info btn-mini policy-stop" link="<%= summary.getLinkByName('stop') %>">Suspend</button>
+        <button class="btn btn-info btn-mini policy-stop" link="<%- summary.getLinkByName('stop') %>">Suspend</button>
         <% } else if (state == "STOPPED") { %>
-        <button class="btn btn-info btn-mini policy-start" link="<%= summary.getLinkByName('start') %>">Resume</button>
-        <button class="btn btn-info btn-mini policy-destroy" link="<%= summary.getLinkByName('destroy') %>">Destroy</button>
+        <button class="btn btn-info btn-mini policy-start" link="<%- summary.getLinkByName('start') %>">Resume</button>
+        <button class="btn btn-info btn-mini policy-destroy" link="<%- summary.getLinkByName('destroy') %>">Destroy</button>
         <% } %> 
     </td>
 </tr>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/summary.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/summary.html b/src/main/webapp/assets/tpl/apps/summary.html
index ed90c75..e7eddfb 100644
--- a/src/main/webapp/assets/tpl/apps/summary.html
+++ b/src/main/webapp/assets/tpl/apps/summary.html
@@ -23,7 +23,7 @@ under the License.
  <div id="title-and-info-row" style="white-space: nowrap;">
   <% if (entity.getLinkByName('iconUrl')) { %>
   <div style="display: inline-block; vertical-align: bottom; padding-top: 12px; padding-bottom: 18px;">
-    <img src="<%= entity.getLinkByName('iconUrl') %>"
+    <img src="<%= encodeURI(entity.getLinkByName('iconUrl')) %>"
         style="max-width: 128px; max-height: 128px;"/>
   </div>
   <% } %>
@@ -31,7 +31,7 @@ under the License.
   <div style="display: inline-block; vertical-align: bottom;">
   
    <div class="name" style="margin-bottom: 12px; padding-right: 12px;">
-     <h2><%= entity.get('name') %></h2>
+     <h2><%- entity.get('name') %></h2>
    </div>
 
   </div>
@@ -60,15 +60,15 @@ under the License.
         
         <div class="info-name-value type" style="margin-top: 12px;">
             <div class="name">Type</div>
-            <div class="value"><%= entity.get('type') %></div>
+            <div class="value"><%- entity.get('type') %></div>
         </div>
         <div class="info-name-value id">
             <div class="name">ID</div>
-            <div class="value"><%= entity.get('id') %></div>
+            <div class="value"><%- entity.get('id') %></div>
         </div>
         <div class="info-name-value catalogItemId hide">
             <div class="name">Catalog Item</div>
-            <div class="value"><a href="#v1/catalog/<%= (isApp ? "applications" : "entities") %>/<%= entity.get('catalogItemId') %>"><%= entity.get('catalogItemId') %></a></div>
+            <div class="value"><a href="#v1/catalog/<%= (isApp ? "applications" : "entities") %>/<%= encodeURIComponent(entity.get('catalogItemId')) %>"><%- entity.get('catalogItemId') %></a></div>
         </div>
 
         <div class="additional-info-on-problem hide" style="margin-top: 12px;">

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/apps/tree-item.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/apps/tree-item.html b/src/main/webapp/assets/tpl/apps/tree-item.html
index f13107a..cd91b10 100644
--- a/src/main/webapp/assets/tpl/apps/tree-item.html
+++ b/src/main/webapp/assets/tpl/apps/tree-item.html
@@ -27,7 +27,7 @@ under the License.
 
     if (!isLoaded) {
 %>
-        <i>Loading... (<%= id %>)</i>
+        <i>Loading... (<%- id %>)</i>
 <%  } else {
         var hasChildren = model.hasChildren() || model.hasMembers();
         var iconUrl = model.get('iconUrl');
@@ -40,19 +40,19 @@ under the License.
         var statusColumnWidth = hasChildren || statusIconUrl || (!isApp && !iconUrl /* for children, insert space so things line up */) ? statusIconSize : 0;
 %>
 
-  <span class="entity_tree_node name entity" id="span-<%= id %>" 
-        data-entity-id="<%= id %>" data-entity-type="<%= model.get('type') %>" data-parent-id="<%= parentId %>" data-app-id="<%= model.get('applicationId') %>">
-    <a href="#v1/applications/<%= model.get('applicationId') %>/entities/<%= id %>">
+  <span class="entity_tree_node name entity" id="span-<%- id %>" 
+        data-entity-id="<%- id %>" data-entity-type="<%- model.get('type') %>" data-parent-id="<%- parentId %>" data-app-id="<%- model.get('applicationId') %>">
+    <a href="#v1/applications/<%= encodeURIComponent(model.get('applicationId')) %>/entities/<%= encodeURIComponent(id) %>">
 
-      <div style="min-width: <%= statusColumnWidth + (iconUrl ? entityIconSize : 6)%>px; min-height: <%= minHeight %>px; max-height: 40px; display: inline-block; margin-right: 4px; vertical-align: middle;">
+      <div style="min-width: <%- statusColumnWidth + (iconUrl ? entityIconSize : 6)%>px; min-height: <%= minHeight %>px; max-height: 40px; display: inline-block; margin-right: 4px; vertical-align: middle;">
         <% if (statusIconUrl) { %>
         <div style="position: absolute; left: 0px; margin: auto; top: <%= isApp && hasChildren ? 3 : 2 %>px;<% if (!hasChildren) { %> bottom: 0px;<% } %>">
-            <img src="<%= statusIconUrl %>" style="max-width: <%= statusIconSize %>px; max-height: <%= statusIconSize %>px; margin: auto; position: absolute; top: -1px;<% if (!hasChildren) { %> bottom: 0px;<% } %>">
+            <img src="<%= encodeURI(statusIconUrl) %>" style="max-width: <%- statusIconSize %>px; max-height: <%- statusIconSize %>px; margin: auto; position: absolute; top: -1px;<% if (!hasChildren) { %> bottom: 0px;<% } %>">
         </div>
         <% } %>
 
         <% if (hasChildren) { %>
-        <div style="position: absolute; left: <%= chevronLeft %>px; margin: auto; <%= statusIconUrl ? "bottom: -1px;" : isApp ? "top: 6px;" : "top: 6px;" %>">
+        <div style="position: absolute; left: <%- chevronLeft %>px; margin: auto; <%= encodeURI(statusIconUrl) ? "bottom: -1px;" : isApp ? "top: 6px;" : "top: 6px;" %>">
             <div class="toggler-icon icon-chevron-right tree-node-state tree-change">
                 <div class="light-popup">
                     <div class="light-popup-body">
@@ -68,14 +68,14 @@ under the License.
         <% } %>
 
         <% if (iconUrl) { %>
-            <img src="<%= iconUrl %>" style="max-width: <%= entityIconSize %>px; max-height: <%= entityIconSize %>px; position: absolute; padding-left: 5px; left: <%= statusColumnWidth %>px; top: 0; bottom: 0; margin: auto;">
+            <img src="<%= encodeURI(iconUrl) %>" style="max-width: <%- entityIconSize %>px; max-height: <%- entityIconSize %>px; position: absolute; padding-left: 5px; left: <%- statusColumnWidth %>px; top: 0; bottom: 0; margin: auto;">
         <% } %>
       </div>
 
       <% if (indirect) { %>
         <i class="indirection-icon icon-share-alt"></i>
       <% } %>
-      <span style="max-height: 18px; padding-right: 6px; position: relative; margin: auto; top: 2px; bottom: 0;"><%= model.get('name') %></span>
+      <span style="max-height: 18px; padding-right: 6px; position: relative; margin: auto; top: 2px; bottom: 0;"><%- model.get('name') %></span>
 
     </a>
   </span>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/catalog/details-entity.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/catalog/details-entity.html b/src/main/webapp/assets/tpl/catalog/details-entity.html
index 802729b..02371c7 100644
--- a/src/main/webapp/assets/tpl/catalog/details-entity.html
+++ b/src/main/webapp/assets/tpl/catalog/details-entity.html
@@ -20,9 +20,9 @@ under the License.
 <div class="catalog-details">
 
     <div class="float-right">
-        <button data-name="<%= model.id %>" class="btn composer"
+        <button data-name="<%- model.id %>" class="btn composer"
             title="Open this blueprint in the Composer where the YAML can be edited and deployed.">YAML Composer</button>
-        <button data-name="<%= model.id %>" class="btn btn-danger delete">Delete</button>
+        <button data-name="<%- model.id %>" class="btn btn-danger delete">Delete</button>
     </div>
 
     <% if (model.get("name") != model.get("symbolicName")) { %>
@@ -105,7 +105,7 @@ under the License.
                 <div class="accordion-inner">
                     <% if (model.error) { %>
                     <p><i class="icon-exclamation-sign"></i> Could not load sensors</p>
-                    <% } else if (!model.get("sensors")) { %>
+                    <% } else if (!model.get("sensors") && !model.get("config")) { %>
                         <p>Loading...</p>
                     <% } else if (_.isEmpty(model.get("sensors"))) { %>
                         <p>No sensors</p>
@@ -142,7 +142,7 @@ under the License.
                 <div class="accordion-inner">
                 <% if (model.error) { %>
                     <p><i class="icon-exclamation-sign"></i> Could not load effectors</p>
-                <% } else if (!model.get("effectors")) { %>
+                <% } else if (!model.get("effectors") && !model.get("config")) { %>
                     <p>Loading...</p>
                 <% } else if (_.isEmpty(model.get("effectors"))) { %>
                     <p>No effectors</p>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/catalog/details-generic.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/catalog/details-generic.html b/src/main/webapp/assets/tpl/catalog/details-generic.html
index 49a29a0..4995632 100644
--- a/src/main/webapp/assets/tpl/catalog/details-generic.html
+++ b/src/main/webapp/assets/tpl/catalog/details-generic.html
@@ -20,23 +20,23 @@ under the License.
 <div class="catalog-details">
 
     <div class="float-right">
-        <button data-name="<%= model.id %>" class="btn btn-danger delete">Delete</button>
+        <button data-name="<%- model.id %>" class="btn btn-danger delete">Delete</button>
     </div>
 
     <% if (model.get("name") !== undefined) { %>
-        <h2><%= model.get("name") %></h2>
+        <h2><%- model.get("name") %></h2>
     <% } else if (model.get("type") !== undefined) { %>
-        <h2><%= model.get("type") %></h2>
+        <h2><%- model.get("type") %></h2>
     <% } %>
 
     <dl>
         <% _.each(model.attributes, function(value, key) { %>
             <% if (value) { %>
-                <dt><%= key %></dt>
+                <dt><%- key %></dt>
                 <% if (_.isObject(value)) { %>
                     <dd>Not shown: is a complex object</dd>
                 <% } else { %>
-                    <dd><%= value %></dd>
+                    <dd><%- value %></dd>
                 <% } %>
             <% } %>
         <% }) %>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/catalog/details-location.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/catalog/details-location.html b/src/main/webapp/assets/tpl/catalog/details-location.html
index 040dc3f..850c76c 100644
--- a/src/main/webapp/assets/tpl/catalog/details-location.html
+++ b/src/main/webapp/assets/tpl/catalog/details-location.html
@@ -21,9 +21,9 @@ under the License.
 
     <div class="float-right">
       <% if (model.get("catalog") && model.get("catalog").planYaml) { %>
-        <button data-name="<%= model.getIdentifierName() %>" class="btn composer"
+        <button data-name="<%- model.getIdentifierName() %>" class="btn composer"
             title="Open this blueprint in the Composer where the YAML can be edited and deployed.">YAML Composer</button>
-        <button data-name="<%= model.getIdentifierName() %>" class="btn btn-danger delete">Delete</button>
+        <button data-name="<%- model.getIdentifierName() %>" class="btn btn-danger delete">Delete</button>
       <% } else { %>
         <button class="btn composer" disabled
             title="This item is defined in properties and cannot be edited.">YAML Composer</button>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/catalog/nav-entry.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/catalog/nav-entry.html b/src/main/webapp/assets/tpl/catalog/nav-entry.html
index e739704..dd842b4 100644
--- a/src/main/webapp/assets/tpl/catalog/nav-entry.html
+++ b/src/main/webapp/assets/tpl/catalog/nav-entry.html
@@ -16,4 +16,4 @@ KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
-<div data-cid="<%= cid %>" class="accordion-nav-row <%= extraClasses %> <%= isChild ? 'accordion-nav-child' : '' %>"><%- type %></div>
+<div data-cid="<%- cid %>" class="accordion-nav-row <%= extraClasses %> <%- isChild ? 'accordion-nav-child' : '' %>"><%- type %></div>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/home/app-entry.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/home/app-entry.html b/src/main/webapp/assets/tpl/home/app-entry.html
index 13e7ab3..d279506 100644
--- a/src/main/webapp/assets/tpl/home/app-entry.html
+++ b/src/main/webapp/assets/tpl/home/app-entry.html
@@ -19,5 +19,5 @@ under the License.
 -->
 
 <!-- Application entry template inside the main application page -->
-<td><a href="#<%= link && link[0]=='/' ? link.substring(1) : link %>"><%= name %></a></td>
-<td><%= status %></td>
+<td><a href="#<%= encodeURI(link && link[0]=='/' ? link.substring(1) : link) %>"><%- name %></a></td>
+<td><%- status %></td>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/home/server-caution.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/home/server-caution.html b/src/main/webapp/assets/tpl/home/server-caution.html
index 8692a2e..875b34a 100644
--- a/src/main/webapp/assets/tpl/home/server-caution.html
+++ b/src/main/webapp/assets/tpl/home/server-caution.html
@@ -73,7 +73,7 @@ under the License.
             It is recommended not to use this server directly.</p>
             
     <% if (masterUri) { %>
-        <p>Redirecting to the master server at <a href="<%= masterUri %>"><%= masterUri %></a> shortly.</p>
+        <p>Redirecting to the master server at <a href="<%= encodeURI(masterUri) %>"><%- masterUri %></a> shortly.</p>
     <% } else { %>
         <p>The address of the master Brooklyn server is not currently known.</p>
     <% } %>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/lib/basic-modal.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/lib/basic-modal.html b/src/main/webapp/assets/tpl/lib/basic-modal.html
index c046548..3aaf158 100644
--- a/src/main/webapp/assets/tpl/lib/basic-modal.html
+++ b/src/main/webapp/assets/tpl/lib/basic-modal.html
@@ -18,12 +18,12 @@ under the License.
 -->
 <div class="modal-header">
     <button type="button" class="close" data-dismiss="modal">&times;</button>
-    <h3><% if (title) { %><%= title %><% } else { %>&nbsp;<% } %></h3>
+    <h3><% if (title) { %><%- title %><% } else { %>&nbsp;<% } %></h3>
 </div>
 
 <div class="modal-body"></div>
 
 <div class="modal-footer">
-    <a href="#" class="btn" data-dismiss="modal"><%= cancelButtonText %></a>
-    <a href="#" class="btn btn-info modal-submit"><%= submitButtonText %></a>
+    <a href="#" class="btn" data-dismiss="modal"><%- cancelButtonText %></a>
+    <a href="#" class="btn btn-info modal-submit"><%- submitButtonText %></a>
 </div>

http://git-wip-us.apache.org/repos/asf/brooklyn-ui/blob/992965e0/src/main/webapp/assets/tpl/lib/config-key-type-value-input-pair.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/assets/tpl/lib/config-key-type-value-input-pair.html b/src/main/webapp/assets/tpl/lib/config-key-type-value-input-pair.html
index cbf88b1..4ca55b3 100644
--- a/src/main/webapp/assets/tpl/lib/config-key-type-value-input-pair.html
+++ b/src/main/webapp/assets/tpl/lib/config-key-type-value-input-pair.html
@@ -17,7 +17,7 @@ specific language governing permissions and limitations
 under the License.
 -->
 <div class="config-key-input-pair form-inline">
-    <input type="text" class="config-key-type" placeholder="Name" value="<%= type %>"/>
-    <input type="text" class="config-key-value" placeholder="Value" value="<%= value %>"/>
+    <input type="text" class="config-key-type" placeholder="Name" value="<%- type %>"/>
+    <input type="text" class="config-key-value" placeholder="Value" value="<%- value %>"/>
     <button type="button" class="btn config-key-row-remove">-</button>
 </div>
\ No newline at end of file


Mime
View raw message