From: Jörn Zaefferer <joern.zaefferer@gmail.com>
Date: Mon, 26 Nov 2012 09:14:36 +0000 (+0100)
Subject: Dialog: Extract setting the title into a _title method, use .text() to prevent XSS... 
X-Git-Tag: 1.10.0-beta.1~89
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=7e9060c109b928769a664dbcc2c17bd21231b6f3;p=jquery-ui.git

Dialog: Extract setting the title into a _title method, use .text() to prevent XSS. Fixes #6016 - Dialog: Title XSS Vulnerability.
---

diff --git a/ui/jquery.ui.dialog.js b/ui/jquery.ui.dialog.js
index 5eb3e2aca..808d31d5b 100644
--- a/ui/jquery.ui.dialog.js
+++ b/ui/jquery.ui.dialog.js
@@ -352,14 +352,21 @@ $.widget("ui.dialog", {
 		uiDialogTitle = $( "<span>" )
 			.uniqueId()
 			.addClass( "ui-dialog-title" )
-			.html( this.options.title || "&#160;" )
 			.prependTo( this.uiDialogTitlebar );
+		this._title( uiDialogTitle );
 
 		this.uiDialog.attr({
 			"aria-labelledby": uiDialogTitle.attr( "id" )
 		});
 	},
 
+	_title: function( title ) {
+		if ( !this.options.title ) {
+			title.html( "&#160;" );
+		}
+		title.text( this.options.title );
+	},
+
 	_createButtonPane: function() {
 		var uiDialogButtonPane = ( this.uiDialogButtonPane = $( "<div>" ) )
 			.addClass( "ui-dialog-buttonpane ui-widget-content ui-helper-clearfix" );
@@ -600,9 +607,7 @@ $.widget("ui.dialog", {
 		}
 
 		if ( key === "title" ) {
-			// convert whatever was passed in to a string, for html() to not throw up
-			$( ".ui-dialog-title", this.uiDialogTitlebar )
-				.html( "" + ( value || "&#160;" ) );
+			this._title( this.uiDialogTitlebar.find( ".ui-dialog-title" ) );
 		}
 	},