From 92c4d6d3a31daab0114621cdc67b7a62b430125b Mon Sep 17 00:00:00 2001
From: Neil Fraser <fraser@google.com>
Date: Mon, 15 Jul 2019 15:45:38 -0700
Subject: [PATCH] Fix colour injection vulnerability.

The new validators already solve this problem, but as a second layer of defence, the generators should also be secured.  Issue #2637
---
 generators/dart/colour.js       | 2 +-
 generators/javascript/colour.js | 2 +-
 generators/lua/colour.js        | 2 +-
 generators/php/colour.js        | 2 +-
 generators/python/colour.js     | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/generators/dart/colour.js b/generators/dart/colour.js
index 105608988..300099d8c 100644
--- a/generators/dart/colour.js
+++ b/generators/dart/colour.js
@@ -33,7 +33,7 @@ Blockly.Dart.addReservedWords('Math');
 
 Blockly.Dart['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.Dart.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.Dart.ORDER_ATOMIC];
 };
 
diff --git a/generators/javascript/colour.js b/generators/javascript/colour.js
index 21b372e9c..8f5c86f89 100644
--- a/generators/javascript/colour.js
+++ b/generators/javascript/colour.js
@@ -31,7 +31,7 @@ goog.require('Blockly.JavaScript');
 
 Blockly.JavaScript['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.JavaScript.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.JavaScript.ORDER_ATOMIC];
 };
 
diff --git a/generators/lua/colour.js b/generators/lua/colour.js
index 9175a9de9..c77325a84 100644
--- a/generators/lua/colour.js
+++ b/generators/lua/colour.js
@@ -31,7 +31,7 @@ goog.require('Blockly.Lua');
 
 Blockly.Lua['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.Lua.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.Lua.ORDER_ATOMIC];
 };
 
diff --git a/generators/php/colour.js b/generators/php/colour.js
index e73c17a95..98aa4e9b8 100644
--- a/generators/php/colour.js
+++ b/generators/php/colour.js
@@ -31,7 +31,7 @@ goog.require('Blockly.PHP');
 
 Blockly.PHP['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.PHP.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.PHP.ORDER_ATOMIC];
 };
 
diff --git a/generators/python/colour.js b/generators/python/colour.js
index 68666a89b..8a17844d3 100644
--- a/generators/python/colour.js
+++ b/generators/python/colour.js
@@ -31,7 +31,7 @@ goog.require('Blockly.Python');
 
 Blockly.Python['colour_picker'] = function(block) {
   // Colour picker.
-  var code = '\'' + block.getFieldValue('COLOUR') + '\'';
+  var code = Blockly.Python.quote_(block.getFieldValue('COLOUR'));
   return [code, Blockly.Python.ORDER_ATOMIC];
 };