mirror of
https://git.code.sf.net/p/seeddms/code
synced 2025-10-24 17:51:20 +00:00
prevent xss attack in Select2 select menu
This commit is contained in:
parent
b0e3c816ff
commit
aed0c3cdf3
|
@ -1,10 +1,15 @@
|
|||
/* Template function which outputs an option in a chzn-select */
|
||||
/* Template function which outputs an option in a chzn-select
|
||||
* The replace() call is required to prevent xss attacks (see CVE-2019-12745)
|
||||
* Using htmlspecialchars() in php isn't sufficient because, chzn_template_func
|
||||
* will receive an unescaped string
|
||||
* (see https://forums.select2.org/t/propperly-escape-option-value-to-prevent-xss/788)
|
||||
*/
|
||||
chzn_template_func = function (state) {
|
||||
var subtitle = $(state.element).data('subtitle');
|
||||
var warning = $(state.element).data('warning');
|
||||
var html = '<span>'+state.text+'';
|
||||
var html = '<span>'+state.text.replace(/</g, '<')+'';
|
||||
if(subtitle)
|
||||
html += '<br /><i>'+subtitle+'</i>';
|
||||
html += '<br /><i>'+subtitle.replace(/</g, '<')+'</i>';
|
||||
if(warning)
|
||||
html += '<br /><span class="label label-warning"><i class="icon-warning-sign"></i></span> '+warning+'';
|
||||
html += '</span>';
|
||||
|
@ -38,7 +43,8 @@ $(document).ready( function() {
|
|||
|
||||
$(".chzn-select").select2({
|
||||
width: '100%',
|
||||
templateResult: chzn_template_func
|
||||
templateResult: chzn_template_func,
|
||||
templateSelection: chzn_template_func
|
||||
});
|
||||
|
||||
/* change the color and length of the bar graph showing the password
|
||||
|
|
Loading…
Reference in New Issue
Block a user