Escape labels for jqplot charts

Escape single- and double-quotes as needed in the generation of the
HTML/JavaScript for the jqplot charts to avoid JavaScript errors.

Author: Aaron Lindsay <aaron@aclindsay.com>

git-svn-id: svn+ssh://svn.gnucash.org/repo/gnucash/trunk@23754 57a11ea4-9604-0410-9ed3-97b8803252fd

src/report/report-system/html-barchart.scm

@@ -355,7 +355,7 @@
                          (push series-index)
                          (push ");\n")
                          (push "series.push({ label: \"")
-                         (push label)
+                         (push (jqplot-escape-string label))
                          (push "\"});\n\n")))
          ; Use a unique chart-id for each chart. This prevents chart
          ; clashed on multi-column reports
@@ -447,12 +447,14 @@
             (if title
               (begin 
                 (push "  options.title = \"")
-                (push title) (push "\";\n")))
+                (push (jqplot-escape-string title))
+                (push "\";\n")))
 
             (if subtitle
               (begin 
                 (push "  options.title += \" (")
-                (push subtitle) (push ")\";\n")))
+                (push (jqplot-escape-string subtitle))
+                (push ")\";\n")))
 
             (if (and (string? x-label) (> (string-length x-label) 0))
               (begin 

src/report/report-system/html-jqplot.scm

@@ -14,3 +14,12 @@
         "\" />\n"
     ))
 
+(define (jqplot-escape-string s1)
+    ;; Escape single and double quotes and backslashes
+    (set! s1 (regexp-substitute/global #f "\\\\" s1 'pre "\\\\" 'post))
+    (set! s1 (regexp-substitute/global #f "'" s1 'pre "\\'" 'post))
+    (set! s1 (regexp-substitute/global #f "\"" s1 'pre "\\\"" 'post))
+    ;; Escape HTML special characters
+    (set! s1 (regexp-substitute/global #f "&" s1 'pre "&" 'post))
+    (set! s1 (regexp-substitute/global #f "<" s1 'pre "&lt;" 'post))
+    (regexp-substitute/global #f ">" s1 'pre "&gt;" 'post))

src/report/report-system/html-linechart.scm

@@ -387,7 +387,7 @@
                          (push series-index)
                          (push ");\n")
                          (push "series.push({ label: \"")
-                         (push label)
+                         (push (jqplot-escape-string label))
                          (push "\"});\n\n")))
          ; Use a unique chart-id for each chart. This prevents chart
          ; clashed on multi-column reports
@@ -489,12 +489,14 @@
             (if title
               (begin 
                 (push "  options.title = \"")
-                (push title) (push "\";\n")))
+                (push (jqplot-escape-string title))
+                (push "\";\n")))
 
             (if subtitle
               (begin 
                 (push "  options.title += \" (")
-                (push subtitle) (push ")\";\n")))
+                (push (jqplot-escape-string subtitle))
+                (push ")\";\n")))
 
             (if (and (string? x-label) (> (string-length x-label) 0))
               (begin 

src/report/report-system/html-piechart.scm

@@ -229,7 +229,7 @@
                 (for-each 
                  (lambda (datum label)
                    (push "  data.push(['")
-                   (push label)
+                   (push (jqplot-escape-string label))
                    (push "',")
                    (push datum)
                    (push "]);\n"))
@@ -247,11 +247,13 @@
             (if title
               (begin 
                 (push "  options.title = \"")
-                (push title) (push "\";\n")))
+                (push (jqplot-escape-string title))
+                (push "\";\n")))
             (if subtitle
               (begin 
                 (push "  options.title += \" (")
-                (push subtitle) (push ")\";\n")))
+                (push (jqplot-escape-string subtitle))
+                (push ")\";\n")))
 
             (push "$.jqplot.config.enablePlugins = true;\n")
             (push "var plot = $.jqplot('")(push chart-id)(push "', [data], options);\n")