diff options
author | Scott González <scott.gonzalez@gmail.com> | 2012-11-27 11:21:33 -0500 |
---|---|---|
committer | Scott González <scott.gonzalez@gmail.com> | 2012-11-27 11:21:33 -0500 |
commit | f2854408cce7e4b7fc6bf8676761904af9c96bde (patch) | |
tree | ff4b9d3cc46b42745eea842052fb415c700fca71 /ui/jquery.ui.tooltip.js | |
parent | 5fee6fd5000072ff32f2d65b6451f39af9e0e39e (diff) | |
download | jquery-ui-f2854408cce7e4b7fc6bf8676761904af9c96bde.tar.gz jquery-ui-f2854408cce7e4b7fc6bf8676761904af9c96bde.zip |
Tooltip: Escape the title attribute so that it's treated as text and not HTML. Fixes #8861 - Tooltip: XSS vulnerability in default content.
Diffstat (limited to 'ui/jquery.ui.tooltip.js')
-rw-r--r-- | ui/jquery.ui.tooltip.js | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ui/jquery.ui.tooltip.js b/ui/jquery.ui.tooltip.js index 2ccd61f46..ab8d5173c 100644 --- a/ui/jquery.ui.tooltip.js +++ b/ui/jquery.ui.tooltip.js @@ -46,7 +46,9 @@ $.widget( "ui.tooltip", { version: "@VERSION", options: { content: function() { - return $( this ).attr( "title" ); + var title = $( this ).attr( "title" ); + // Escape title, since we're going from an attribute to raw HTML + return $( "<a>" ).text( title ).html(); }, hide: true, // Disabled elements have inconsistent behavior across browsers (#8661) |