Properly escape labels in WCF.EditableItemList
authorTim Düsterhus <duesterhus@woltlab.com>
Wed, 19 Jun 2013 17:57:07 +0000 (19:57 +0200)
committerTim Düsterhus <duesterhus@woltlab.com>
Wed, 19 Jun 2013 17:58:34 +0000 (19:58 +0200)
see http://beta.woltlab.com/index.php/Thread/2164-Fehler-mit-tags-und-Special-HTML-Characters/

wcfsetup/install/files/js/WCF.js

index fb791b37990cd995b5cc82c6c69f071b2164207c..7556454889c5e0235740080da2e90a33714e071c 100755 (executable)
@@ -7685,7 +7685,7 @@ WCF.EditableItemList = Class.extend({
                        }
                }
                
-               var $listItem = $('<li class="badge">' + data.label + '</li>').data('objectID', data.objectID).data('label', data.label).appendTo(this._itemList);
+               var $listItem = $('<li class="badge">' + WCF.String.escapeHTML(data.label) + '</li>').data('objectID', data.objectID).data('label', data.label).appendTo(this._itemList);
                $listItem.click($.proxy(this._click, this));
                
                if (this._search) {