wamo/Qvitter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

title attributes can contain malicious code

Browse Source
This commit is contained in:
Hannes Mannerheim 2015-09-06 20:31:25 +02:00
parent 018d1d1bbb
commit 3754ef5b3d
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
js/qvitter.js
View File

@ -102,7 +102,8 @@ $('body').on({
// convert title to tooltip // convert title to tooltip
if($(e.target).is('[title]')) { if($(e.target).is('[title]')) {
$(e.target).attr('data-tooltip',$(e.target).attr('title')); var titleAttribute = replaceHtmlSpecialChars($(e.target).attr('title')); // can contain malicious code
$(e.target).attr('data-tooltip',titleAttribute);
$(e.target).removeAttr('title'); $(e.target).removeAttr('title');
} }
@ -1415,6 +1416,7 @@ $('body').on('click','.sm-ellipsis',function(){
<li class="dropdown-caret left"><span class="caret-outer"></span><span class="caret-inner"></span></li>\ <li class="dropdown-caret left"><span class="caret-outer"></span><span class="caret-inner"></span></li>\
' + blockHtml + '\ ' + blockHtml + '\
' + deleteHtml + '\ ' + deleteHtml + '\
<li><a class="hierarchical-view">Hierarchical view [alpha]</a></li>\
</ul>\ </ul>\
'); ');
} }