HTML-escape values written to output

The code doesn't currently HTML-escape various outputs, and puts them
directly into the raw HTML.  This can lead to cross-site scripting exploits.

Change-Id: Idef647e7eaf268850dcb7ccff44170ffc5d11878

disaster_recovery/static/freezer/js/freezer.jobs.sortable.js

@@ -9,6 +9,7 @@ $(function () {
     }).disableSelection();
 });
 
+// BAD: This is putting all these members on global scope.
 
 var parent = $(".sortable_lists").parent();
 parent.removeClass("col-sm-6");
@@ -44,6 +45,12 @@ function actions_url() {
   return url;
 }
 
+function freezerLi(item) {
+  return $('<li class="list-group-item">')
+    .attr('id', item.action_id)
+    .text("(" + item.freezer_action.action + ") " + item.freezer_action.backup_name);
+}
+
 if (job_id !== "") {
     $.ajax({
         url: actions_in_job_url(),
@@ -53,21 +60,15 @@ if (job_id !== "") {
         contentType: 'application/json; charset=utf-8',
         success: function (data) {
             $.each(data.available, function (index, item) {
-                $("#actions_available").append(
+                $("#actions_available").append(freezerLi(item));
-                    "<li class='list-group-item' id=" + item.action_id + ">" +
-                        "(" + item.freezer_action.action + ")"  + " " + item.freezer_action.backup_name + "</li>"
-                );
             });
             $.each(data.selected, function (index, item) {
-                $("#actions_selected").append(
+                $("#actions_selected").append(freezerLi(item));
-                    "<li class='list-group-item' id=" + item.action_id + ">" +
-                        "(" + item.freezer_action.action + ")"  + " " + item.freezer_action.backup_name + "</li>"
-                );
             });
         },
         error: function (request, error) {
             $("#actions_available").append(
-                '<tr><td>Error getting action list</td></tr>'
+                '<tr><td>Error getting action list</td></tr>' // UNTRANSLATED
             );
         }
     });
@@ -80,15 +81,12 @@ if (job_id !== "") {
         contentType: 'application/json; charset=utf-8' ,
         success: function (data) {
             $.each(data, function (index, item) {
-                $("#actions_available").append(
+                $("#actions_available").append(freezerLi(item));
-                    "<li class='list-group-item' id=" + item.action_id + ">" +
-                        "(" + item.freezer_action.action + ")"  + " " + item.freezer_action.backup_name + "</li>"
-                );
             });
         },
         error: function (request, error) {
             $("#actions_available").append(
-                '<tr><td>Error getting action list</td></tr>'
+                '<tr><td>Error getting action list</td></tr>' // UNTRANSLATED
             );
         }
     });

disaster_recovery/static/freezer/js/freezer.restore.js

@@ -25,6 +25,15 @@ function get_url() {
   return url;
 }
 
+function freezerGetRow(item) {
+  var tr = $('<tr>');
+  tr.append($('<td class="multi_select_column">')
+    .append($('<input type="radio" name="client">')
+      .attr('value', item.client.client_id)));
+  tr.append($('<td>').text(item.client.hostname));
+  return tr;
+}
+
 $.ajax({
     url: get_url(),
     type: "GET",
@@ -33,16 +42,12 @@ $.ajax({
     contentType: 'application/json; charset=utf-8',
     success: function(data) {
         $.each(data, function (index, item) {
-            $("#available_clients").append(
+            $("#available_clients").append(freezerGetRow(item));
-                '<tr><td class="multi_select_column">' +
-                    '<input type="radio" name="client" value=' + item.client.client_id + '></td>' +
-                     '<td>' + item.client.hostname + '</td></tr>'
-            );
         });
     },
     error: function (request, error) {
         $("#available_clients").append(
-            '<tr><td>Error getting client list</td></tr>'
+            '<tr><td>Error getting client list</td></tr>' // UNTRANSLATED
         );
     }
 });