RetailCRM-Mirror/select2
1
0
Fork 0
mirror of synced 2025-02-16 20:13:16 +03:00
Code Issues Projects Releases Wiki Activity

Fix XSS issue in templating example

Browse Source
This commit is contained in:
Kevin Brown 2019-07-10 00:00:02 -04:00
parent 03e1b69751
commit 1c394a421b
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pages/08.selections/docs.md
View File

@ -25,10 +25,16 @@ function formatState (state) {
if (!state.id) { if (!state.id) {
return state.text; return state.text;
} }
var baseUrl = "{{ url('user://pages/images/flags') }}"; var baseUrl = "{{ url('user://pages/images/flags') }}";
var $state = $( var $state = $(
'<span><img src="' + baseUrl + '/' + state.element.value.toLowerCase() + '.png" class="img-flag" /> ' + state.text + '</span>' '<span><img class="img-flag" /> <span></span></span>'
); );
// Use .text() instead of HTML string concatenation to avoid script injection issues
$state.find("span").text(state.text);
$state.find("img").attr("src", baseUrl + "/" + state.element.value.toLowerCase() + ".png");
return $state; return $state;
}; };