1
0
mirror of synced 2024-11-25 22:36:03 +03:00

Fix XSS issue in templating example

This commit is contained in:
Kevin Brown 2019-07-10 00:00:02 -04:00
parent 03e1b69751
commit 1c394a421b

View File

@ -25,10 +25,16 @@ function formatState (state) {
if (!state.id) {
return state.text;
}
var baseUrl = "{{ url('user://pages/images/flags') }}";
var $state = $(
'<span><img src="' + baseUrl + '/' + state.element.value.toLowerCase() + '.png" class="img-flag" /> ' + state.text + '</span>'
'<span><img class="img-flag" /> <span></span></span>'
);
// Use .text() instead of HTML string concatenation to avoid script injection issues
$state.find("span").text(state.text);
$state.find("img").attr("src", baseUrl + "/" + state.element.value.toLowerCase() + ".png");
return $state;
};