fix potential xss issue with user id

apollo-portal/src/main/resources/static/app.html

@@ -118,6 +118,8 @@
 <!-- bootstrap.js -->
 <script src="vendor/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
 
+<script src="../vendor/lodash.min.js"></script>
+
 <!--valdr-->
 <script src="vendor/valdr/valdr.min.js" type="text/javascript"></script>
 <script src="vendor/valdr/valdr-message.min.js" type="text/javascript"></script>

apollo-portal/src/main/resources/static/scripts/controller/AccessKeyController.js

@@ -79,7 +79,7 @@ function AccessKeyController($scope, $location, $translate, toastr,
             $scope.appRoleUsers = result;
             $scope.admins = [];
             $scope.appRoleUsers.masterUsers.forEach(function (user) {
-                $scope.admins.push(user.userId);
+                $scope.admins.push(_.escape(user.userId));
             });
         });
     }

apollo-portal/src/main/resources/static/scripts/controller/AppController.js

@@ -118,7 +118,7 @@ function createAppController($scope, $window, $translate, toastr, AppService, Ap
         if (owner) {
             $(".adminSelector").parent().find(".select2-selection__rendered").prepend(
                 '<li class="select2-selection__choice J_owner">'
-                + owner.text + '</li>')
+                + _.escape(owner.text) + '</li>')
         }
     }
 }

apollo-portal/src/main/resources/static/scripts/controller/SettingController.js

@@ -86,7 +86,7 @@ function SettingController($scope, $location, $translate, toastr,
                 $scope.appRoleUsers = result;
                 $scope.admins = [];
                 $scope.appRoleUsers.masterUsers.forEach(function (user) {
-                    $scope.admins.push(user.userId);
+                    $scope.admins.push(_.escape(user.userId));
                 });
 
             });
@@ -106,7 +106,7 @@ function SettingController($scope, $location, $translate, toastr,
         $orgWidget.val(app.orgId).trigger("change");
 
         var $ownerSelector = $('.ownerSelector');
-        var defaultSelectedDOM = '<option value="' + app.ownerName + '" selected="selected">' + app.ownerName
+        var defaultSelectedDOM = '<option value="' + _.escape(app.ownerName) + '" selected="selected">' + _.escape(app.ownerName)
             + '</option>';
         $ownerSelector.append(defaultSelectedDOM);
         $ownerSelector.trigger('change');

apollo-portal/src/main/resources/static/scripts/controller/config/ConfigNamespaceController.js

@@ -35,7 +35,7 @@ function controller($rootScope, $scope, $translate, toastr, AppUtil, EventManage
             .then(function (result) {
                 var masterUsers = '';
                 result.masterUsers.forEach(function (user) {
-                    masterUsers += user.userId + ',';
+                    masterUsers += _.escape(user.userId) + ',';
                 });
                 $scope.masterUsers = masterUsers.substring(0, masterUsers.length - 1);
             }, function (result) {

apollo-portal/src/main/resources/static/scripts/directive/delete-namespace-modal-directive.js

@@ -58,7 +58,7 @@ function deleteNamespaceModalDirective($window, $q, $translate, toastr, AppUtil,
                             var masterUsers = [];
 
                             appRoleUsers.masterUsers.forEach(function (user) {
-                                masterUsers.push(user.userId);
+                                masterUsers.push(_.escape(user.userId));
 
                                 if (currentUser.userId == user.userId) {
                                     isAppMasterUser = true;