From e5f1745c8acf9791cf0c44f92664c94fe35472f0 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Wed, 19 Jun 2013 19:57:07 +0200
Subject: [PATCH] Properly escape labels in WCF.EditableItemList

see http://beta.woltlab.com/index.php/Thread/2164-Fehler-mit-tags-und-Special-HTML-Characters/
---
 wcfsetup/install/files/js/WCF.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/js/WCF.js b/wcfsetup/install/files/js/WCF.js
index fb791b3799..7556454889 100755
--- a/wcfsetup/install/files/js/WCF.js
+++ b/wcfsetup/install/files/js/WCF.js
@@ -7685,7 +7685,7 @@ WCF.EditableItemList = Class.extend({
 			}
 		}
 		
-		var $listItem = $('<li class="badge">' + data.label + '</li>').data('objectID', data.objectID).data('label', data.label).appendTo(this._itemList);
+		var $listItem = $('<li class="badge">' + WCF.String.escapeHTML(data.label) + '</li>').data('objectID', data.objectID).data('label', data.label).appendTo(this._itemList);
 		$listItem.click($.proxy(this._click, this));
 		
 		if (this._search) {
-- 
2.20.1