From f0c203a9a0cc7cbb70738436ed99c38b407e772a Mon Sep 17 00:00:00 2001 From: Scott González Date: Mon, 26 Nov 2012 16:13:21 -0500 Subject: Autocomplete demo: Combobox cleanup. --- demos/autocomplete/combobox.html | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) (limited to 'demos/autocomplete/combobox.html') diff --git a/demos/autocomplete/combobox.html b/demos/autocomplete/combobox.html index 9fd5d4050..6229d47b2 100644 --- a/demos/autocomplete/combobox.html +++ b/demos/autocomplete/combobox.html @@ -24,7 +24,7 @@ bottom: 0; margin-left: -1px; padding: 0; - /* adjust styles for IE 6/7 */ + /* support: IE7 */ *height: 1.7em; *top: 0.1em; } @@ -46,7 +46,7 @@ .addClass( "ui-combobox" ) .insertAfter( select ); - function removeIfInvalid(element) { + function removeIfInvalid( element ) { var value = $( element ).val(), matcher = new RegExp( "^" + $.ui.autocomplete.escapeRegex( value ) + "$", "i" ), valid = false; @@ -56,6 +56,7 @@ return false; } }); + if ( !valid ) { // remove invalid value, as it didn't match anything $( element ) @@ -66,8 +67,7 @@ setTimeout(function() { input.tooltip( "close" ).attr( "title", "" ); }, 2500 ); - input.data( "autocomplete" ).term = ""; - return false; + input.data( "ui-autocomplete" ).term = ""; } } @@ -103,13 +103,14 @@ }); }, change: function( event, ui ) { - if ( !ui.item ) - return removeIfInvalid( this ); + if ( !ui.item ) { + removeIfInvalid( this ); + } } }) .addClass( "ui-widget ui-widget-content ui-corner-left" ); - input.data( "autocomplete" )._renderItem = function( ul, item ) { + input.data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .append( "" + item.label + "" ) .appendTo( ul ); @@ -144,19 +145,14 @@ input.focus(); }); - input - .tooltip({ - position: { - of: this.button - }, - tooltipClass: "ui-state-highlight" - }); + input.tooltip({ + tooltipClass: "ui-state-highlight" + }); }, - destroy: function() { + _destroy: function() { this.wrapper.remove(); this.element.show(); - $.Widget.prototype.destroy.call( this ); } }); })( jQuery ); -- cgit v1.2.3 From 5fee6fd5000072ff32f2d65b6451f39af9e0e39e Mon Sep 17 00:00:00 2001 From: Scott González Date: Tue, 27 Nov 2012 10:52:19 -0500 Subject: Autocomplete demo: Combobox: Encode search term inside tooltips. Fixes #8859 - Autocomplete: XSS in combobox demo. --- demos/autocomplete/combobox.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'demos/autocomplete/combobox.html') diff --git a/demos/autocomplete/combobox.html b/demos/autocomplete/combobox.html index 6229d47b2..8c6f59fc1 100644 --- a/demos/autocomplete/combobox.html +++ b/demos/autocomplete/combobox.html @@ -61,7 +61,7 @@ // remove invalid value, as it didn't match anything $( element ) .val( "" ) - .attr( "title", value + " didn't match any item" ) + .attr( "title", $( "" ).text( value ).html() + " didn't match any item" ) .tooltip( "open" ); select.val( "" ); setTimeout(function() { -- cgit v1.2.3 From f2854408cce7e4b7fc6bf8676761904af9c96bde Mon Sep 17 00:00:00 2001 From: Scott González Date: Tue, 27 Nov 2012 11:21:33 -0500 Subject: Tooltip: Escape the title attribute so that it's treated as text and not HTML. Fixes #8861 - Tooltip: XSS vulnerability in default content. --- demos/autocomplete/combobox.html | 2 +- tests/unit/tooltip/tooltip_options.js | 14 ++++++++++++++ ui/jquery.ui.tooltip.js | 4 +++- 3 files changed, 18 insertions(+), 2 deletions(-) (limited to 'demos/autocomplete/combobox.html') diff --git a/demos/autocomplete/combobox.html b/demos/autocomplete/combobox.html index 8c6f59fc1..6229d47b2 100644 --- a/demos/autocomplete/combobox.html +++ b/demos/autocomplete/combobox.html @@ -61,7 +61,7 @@ // remove invalid value, as it didn't match anything $( element ) .val( "" ) - .attr( "title", $( "" ).text( value ).html() + " didn't match any item" ) + .attr( "title", value + " didn't match any item" ) .tooltip( "open" ); select.val( "" ); setTimeout(function() { diff --git a/tests/unit/tooltip/tooltip_options.js b/tests/unit/tooltip/tooltip_options.js index f9da27fb7..01ac25040 100644 --- a/tests/unit/tooltip/tooltip_options.js +++ b/tests/unit/tooltip/tooltip_options.js @@ -16,6 +16,20 @@ test( "content: default", function() { deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), "anchortitle" ); }); +test( "content: default; HTML escaping", function() { + expect( 2 ); + var scriptText = "", + element = $( "#tooltipped1" ); + + $.ui.tooltip.hacked = false; + element.attr( "title", scriptText ) + .tooltip() + .tooltip( "open" ); + equal( $.ui.tooltip.hacked, false, "script did not execute" ); + deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), scriptText, + "correct tooltip text" ); +}); + test( "content: return string", function() { expect( 1 ); var element = $( "#tooltipped1" ).tooltip({ diff --git a/ui/jquery.ui.tooltip.js b/ui/jquery.ui.tooltip.js index 2ccd61f46..ab8d5173c 100644 --- a/ui/jquery.ui.tooltip.js +++ b/ui/jquery.ui.tooltip.js @@ -46,7 +46,9 @@ $.widget( "ui.tooltip", { version: "@VERSION", options: { content: function() { - return $( this ).attr( "title" ); + var title = $( this ).attr( "title" ); + // Escape title, since we're going from an attribute to raw HTML + return $( "" ).text( title ).html(); }, hide: true, // Disabled elements have inconsistent behavior across browsers (#8661) -- cgit v1.2.3