From f2854408cce7e4b7fc6bf8676761904af9c96bde Mon Sep 17 00:00:00 2001
From: Scott González <scott.gonzalez@gmail.com>
Date: Tue, 27 Nov 2012 11:21:33 -0500
Subject: Tooltip: Escape the title attribute so that it's treated as text and
 not HTML. Fixes #8861 - Tooltip: XSS vulnerability in default content.

---
 ui/jquery.ui.tooltip.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ui/jquery.ui.tooltip.js')

diff --git a/ui/jquery.ui.tooltip.js b/ui/jquery.ui.tooltip.js
index 2ccd61f46..ab8d5173c 100644
--- a/ui/jquery.ui.tooltip.js
+++ b/ui/jquery.ui.tooltip.js
@@ -46,7 +46,9 @@ $.widget( "ui.tooltip", {
 	version: "@VERSION",
 	options: {
 		content: function() {
-			return $( this ).attr( "title" );
+			var title = $( this ).attr( "title" );
+			// Escape title, since we're going from an attribute to raw HTML
+			return $( "<a>" ).text( title ).html();
 		},
 		hide: true,
 		// Disabled elements have inconsistent behavior across browsers (#8661)
-- 
cgit v1.2.3