From 17fe30ca0fc6c3fe76ceb23439a0ee8d08a0f15b Mon Sep 17 00:00:00 2001
From: Henry Oswald <henry.oswald@sharelatex.com>
Date: Mon, 19 Jan 2015 10:49:40 +0000
Subject: [PATCH] sanitise the ref for universities site. and remove unneeded
 sanitise

---
 .../web/app/coffee/Features/Project/ProjectController.coffee   | 1 -
 .../coffee/Features/StaticPages/UniversityController.coffee    | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/web/app/coffee/Features/Project/ProjectController.coffee b/services/web/app/coffee/Features/Project/ProjectController.coffee
index 7409da4160..50a8e91670 100644
--- a/services/web/app/coffee/Features/Project/ProjectController.coffee
+++ b/services/web/app/coffee/Features/Project/ProjectController.coffee
@@ -5,7 +5,6 @@ projectDuplicator = require("./ProjectDuplicator")
 projectCreationHandler = require("./ProjectCreationHandler")
 editorController = require("../Editor/EditorController")
 metrics = require('../../infrastructure/Metrics')
-sanitize = require('sanitizer')
 Project = require('../../models/Project').Project
 User = require('../../models/User').User
 TagsHandler = require("../Tags/TagsHandler")
diff --git a/services/web/app/coffee/Features/StaticPages/UniversityController.coffee b/services/web/app/coffee/Features/StaticPages/UniversityController.coffee
index d23fbfbeed..d82ac2ecd0 100644
--- a/services/web/app/coffee/Features/StaticPages/UniversityController.coffee
+++ b/services/web/app/coffee/Features/StaticPages/UniversityController.coffee
@@ -4,6 +4,7 @@ logger = require("logger-sharelatex")
 _ = require("underscore")
 ErrorController = require "../Errors/ErrorController"
 StaticPageHelpers = require("./StaticPageHelpers")
+sanitize = require('sanitizer')
 
 module.exports = UniversityController = 
 
@@ -20,7 +21,7 @@ module.exports = UniversityController =
 			data = data.trim()
 			try
 				data = JSON.parse(data)
-				data.content = data.content.replace(/__ref__/g, req.query.ref)
+				data.content = data.content.replace(/__ref__/g, sanitize.escape(req.query.ref))
 			catch err
 				logger.err err:err, data:data, "error parsing data from data"
 			res.render "university/university_holder", data