summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobin Appelman <icewind@owncloud.com>2012-06-09 15:07:09 +0200
committerRobin Appelman <icewind@owncloud.com>2012-06-09 15:08:05 +0200
commit8f616ecf76aac4a8b554fbf5a90b1645d0f25438 (patch)
treed68fd79d779c0b00eb72843072998e94d8bd1afe
parent0f454215e785fa258cf506a1937ca8135a2b31c8 (diff)
downloadnextcloud-server-8f616ecf76aac4a8b554fbf5a90b1645d0f25438.tar.gz
nextcloud-server-8f616ecf76aac4a8b554fbf5a90b1645d0f25438.zip
fix potential xss in multiselect
-rw-r--r--core/js/multiselect.js12
1 files changed, 9 insertions, 3 deletions
diff --git a/core/js/multiselect.js b/core/js/multiselect.js
index 541dddf0f70..5f339006d26 100644
--- a/core/js/multiselect.js
+++ b/core/js/multiselect.js
@@ -57,8 +57,11 @@
element=$(element);
var item=element.val();
var id='ms'+multiSelectId+'-option-'+item;
- var input=$('<input id="'+id+'" type="checkbox"/>');
- var label=$('<label for="'+id+'">'+item+'</label>');
+ var input=$('<input type="checkbox"/>');
+ input.attr('id',id);
+ var label=$('<label/>');
+ label.attr('for',id);
+ label.text(item);
if(settings.checked.indexOf(item)!=-1 || checked){
input.attr('checked',true);
}
@@ -130,7 +133,10 @@
li.text('+ '+settings.createText);
li.before(createItem(this));
var select=button.parent().next();
- select.append($('<option selected="selected" value="'+$(this).val()+'">'+$(this).val()+'</option>'));
+ var option=$('<option selected="selected"/>');
+ option.attr('value',$(this).val());
+ option.text($(this).val());
+ select.append(optione);
li.prev().children('input').trigger('click');
button.parent().data('preventHide',false);
if(settings.createCallback){