From 1c394a421b76f26b8923a9634437b99fb6bffec3 Mon Sep 17 00:00:00 2001
From: Kevin Brown <kevin@kevin-brown.com>
Date: Wed, 10 Jul 2019 00:00:02 -0400
Subject: [PATCH] Fix XSS issue in templating example

---
 pages/08.selections/docs.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pages/08.selections/docs.md b/pages/08.selections/docs.md
index d563450d..5f79efac 100644
--- a/pages/08.selections/docs.md
+++ b/pages/08.selections/docs.md
@@ -25,10 +25,16 @@ function formatState (state) {
   if (!state.id) {
     return state.text;
   }
+
   var baseUrl = "{{ url('user://pages/images/flags') }}";
   var $state = $(
-    '<span><img src="' + baseUrl + '/' + state.element.value.toLowerCase() + '.png" class="img-flag" /> ' + state.text + '</span>'
+    '<span><img class="img-flag" /> <span></span></span>'
   );
+
+  // Use .text() instead of HTML string concatenation to avoid script injection issues
+  $state.find("span").text(state.text);
+  $state.find("img").attr("src", baseUrl + "/" + state.element.value.toLowerCase() + ".png");
+
   return $state;
 };