From 80c40759bb7c48b094d9569b44b7e53a07009ade Mon Sep 17 00:00:00 2001
From: Arnaud Delcasse <arnaud.delcasse@mobicoop.org>
Date: Wed, 8 Oct 2025 23:54:53 +0200
Subject: [PATCH] escape json

---
 .../organized_carpool/_partials/bookings_list.html | 12 ++++++------
 .../organized_carpool/_partials/drivers_list.html  | 14 +++++++-------
 .../_partials/drivers_list.html                    |  8 ++++----
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/web/layouts/organized_carpool/_partials/bookings_list.html b/web/layouts/organized_carpool/_partials/bookings_list.html
index 2f66cbf..41f43d5 100644
--- a/web/layouts/organized_carpool/_partials/bookings_list.html
+++ b/web/layouts/organized_carpool/_partials/bookings_list.html
@@ -9,13 +9,13 @@
     {{range $index, $booking := .ViewState.bookings}}{{if $index}},{{end}}{
       id: '{{$booking.Id}}',
       driverId: '{{$booking.Driver.Id}}',
-      driverFirstName: '{{ (index $.ViewState.drivers_map $booking.Driver.Id).Data.first_name }}',
-      driverLastName: '{{ (index $.ViewState.drivers_map $booking.Driver.Id).Data.last_name }}',
+      driverFirstName: '{{ jsEscape (index $.ViewState.drivers_map $booking.Driver.Id).Data.first_name }}',
+      driverLastName: '{{ jsEscape (index $.ViewState.drivers_map $booking.Driver.Id).Data.last_name }}',
       passengerId: '{{$booking.Passenger.Id}}',
-      passengerFirstName: '{{ (index $.ViewState.passengers_map $booking.Passenger.Id).Data.first_name }}',
-      passengerLastName: '{{ (index $.ViewState.passengers_map $booking.Passenger.Id).Data.last_name }}',
-      pickupAddress: '{{$booking.PassengerPickupAddress}}',
-      dropAddress: '{{$booking.PassengerDropAddress}}',
+      passengerFirstName: '{{ jsEscape (index $.ViewState.passengers_map $booking.Passenger.Id).Data.first_name }}',
+      passengerLastName: '{{ jsEscape (index $.ViewState.passengers_map $booking.Passenger.Id).Data.last_name }}',
+      pickupAddress: '{{ jsEscape $booking.PassengerPickupAddress }}',
+      dropAddress: '{{ jsEscape $booking.PassengerDropAddress }}',
       pickupDate: '{{ timeFormat $booking.PassengerPickupDate.AsTime "02/01/2006 15:04" }}',
       status: '{{$booking.Status.String}}',
       price: '{{if $booking.Price}}{{ printf "%.2f" (round2 $booking.Price.Amount) }}{{else}}N/A{{end}}',
diff --git a/web/layouts/organized_carpool/_partials/drivers_list.html b/web/layouts/organized_carpool/_partials/drivers_list.html
index b20d207..eb8ad31 100644
--- a/web/layouts/organized_carpool/_partials/drivers_list.html
+++ b/web/layouts/organized_carpool/_partials/drivers_list.html
@@ -32,11 +32,11 @@
   drivers: [
     {{range $index, $driver := .ViewState.drivers}}{{if $index}},{{end}}{
       id: '{{$driver.ID}}',
-      firstName: '{{$driver.Data.first_name}}',
-      lastName: '{{$driver.Data.last_name}}',
-      address: '{{if $driver.Data.address}}{{$driver.Data.address.properties.label}}{{end}}',
-      addressDestination: '{{if $driver.Data.address_destination}}{{$driver.Data.address_destination.properties.label}}{{end}}',
-      phoneNumber: '{{$driver.Data.phone_number}}',
+      firstName: '{{ jsEscape $driver.Data.first_name }}',
+      lastName: '{{ jsEscape $driver.Data.last_name }}',
+      address: '{{if $driver.Data.address}}{{ jsEscape $driver.Data.address.properties.label }}{{end}}',
+      addressDestination: '{{if $driver.Data.address_destination}}{{ jsEscape $driver.Data.address_destination.properties.label }}{{end}}',
+      phoneNumber: '{{ jsEscape $driver.Data.phone_number }}',
       validated: {{if carpoolDriverValidatedProfile $driver (carpoolDocuments $driver.ID)}}true{{else}}false{{end}}
     }{{end}}
   ],
@@ -94,8 +94,8 @@
     <template x-for="driver in paginatedDrivers" :key="driver.id">
       <tr>
         <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm sm:pl-6" x-text="driver.firstName + ' ' + driver.lastName"></td>
-        <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm sm:pl-6" x-text="driver.address"></td>
-        <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm sm:pl-6" x-text="driver.addressDestination"></td>
+        <td class="py-4 pl-4 pr-3 text-sm sm:pl-6" x-text="driver.address"></td>
+        <td class="py-4 pl-4 pr-3 text-sm sm:pl-6" x-text="driver.addressDestination"></td>
         <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm sm:pl-6" x-text="driver.phoneNumber"></td>
         <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm sm:pl-6">
           <span x-show="driver.validated" class="p-1 px-2 text-xs bg-co-green rounded-2xl">Oui</span>
diff --git a/web/layouts/solidarity_transport/_partials/drivers_list.html b/web/layouts/solidarity_transport/_partials/drivers_list.html
index 17d0d77..ccd9fde 100644
--- a/web/layouts/solidarity_transport/_partials/drivers_list.html
+++ b/web/layouts/solidarity_transport/_partials/drivers_list.html
@@ -31,10 +31,10 @@
   drivers: [
     {{range $index, $driver := .ViewState.drivers}}{{if $index}},{{end}}{
       id: '{{$driver.ID}}',
-      firstName: '{{$driver.Data.first_name}}',
-      lastName: '{{$driver.Data.last_name}}',
-      address: '{{if $driver.Data.address}}{{$driver.Data.address.properties.label}}{{end}}',
-      phoneNumber: '{{$driver.Data.phone_number}}',
+      firstName: '{{ jsEscape $driver.Data.first_name }}',
+      lastName: '{{ jsEscape $driver.Data.last_name }}',
+      address: '{{if $driver.Data.address}}{{ jsEscape $driver.Data.address.properties.label }}{{end}}',
+      phoneNumber: '{{ jsEscape $driver.Data.phone_number }}',
       validated: {{if solidarityDriverValidatedProfile $driver (solidarityDocuments $driver.ID)}}true{{else}}false{{end}}
     }{{end}}
   ],