Fix colour injection vulnerability.

The new validators already solve this problem, but as a second layer of defence, the generators should also be secured.  Issue #2637

generators/dart/colour.js

@@ -33,7 +33,7 @@ Blockly.Dart.addReservedWords('Math');
 
 Blockly.Dart['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.Dart.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.Dart.ORDER_ATOMIC];
 };
 

generators/javascript/colour.js

@@ -31,7 +31,7 @@ goog.require('Blockly.JavaScript');
 
 Blockly.JavaScript['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.JavaScript.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.JavaScript.ORDER_ATOMIC];
 };
 

generators/lua/colour.js

@@ -31,7 +31,7 @@ goog.require('Blockly.Lua');
 
 Blockly.Lua['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.Lua.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.Lua.ORDER_ATOMIC];
 };
 

generators/php/colour.js

@@ -31,7 +31,7 @@ goog.require('Blockly.PHP');
 
 Blockly.PHP['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.PHP.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.PHP.ORDER_ATOMIC];
 };
 

generators/python/colour.js

@@ -31,7 +31,7 @@ goog.require('Blockly.Python');
 
 Blockly.Python['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.Python.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.Python.ORDER_ATOMIC];
 };