Added proper escaping to OptionGroup item icon URLs (#13310)

Change-Id: Id0dea437e04e829567b31df3e9c496cd5adc09b8
author: Juho Nurminen <juho@vaadin.com> 2014-02-03 16:56:31 +0200
committer: Henri Sara <hesara@vaadin.com> 2014-02-11 14:00:26 +0200
commit: 0ecb5dcb80121e09d8feaa724ffcf621180de41b (patch)
tree: 033b2b9529132595655fb347663a1005d37e9e9d
parent: 76ea26732bcc85da57c89efcacb6919cab573302 (diff)
download: vaadin-framework-0ecb5dcb80121e09d8feaa724ffcf621180de41b.tar.gz
vaadin-framework-0ecb5dcb80121e09d8feaa724ffcf621180de41b.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/client/src/com/vaadin/client/ui/VOptionGroup.java b/client/src/com/vaadin/client/ui/VOptionGroup.java
index fee1c313f5..fe4ef214cb 100644
--- a/client/src/com/vaadin/client/ui/VOptionGroup.java
+++ b/client/src/com/vaadin/client/ui/VOptionGroup.java
@@ -142,8 +142,9 @@ public class VOptionGroup extends VOptionGroupBase implements FocusHandler,
             String icon = opUidl.getStringAttribute("icon");
             if (icon != null && icon.length() != 0) {
                 String iconUrl = client.translateVaadinUri(icon);
-                itemHtml = "<img src=\"" + iconUrl + "\" class=\""
-                        + Icon.CLASSNAME + "\" alt=\"\" />" + itemHtml;
+                itemHtml = "<img src=\"" + Util.escapeAttribute(iconUrl)
+                        + "\" class=\"" + Icon.CLASSNAME + "\" alt=\"\" />"
+                        + itemHtml;
             }
 
             String key = opUidl.getStringAttribute("key");
author	Juho Nurminen <juho@vaadin.com>	2014-02-03 16:56:31 +0200
committer	Henri Sara <hesara@vaadin.com>	2014-02-11 14:00:26 +0200
commit	0ecb5dcb80121e09d8feaa724ffcf621180de41b (patch)
tree	033b2b9529132595655fb347663a1005d37e9e9d
parent	76ea26732bcc85da57c89efcacb6919cab573302 (diff)
download	vaadin-framework-0ecb5dcb80121e09d8feaa724ffcf621180de41b.tar.gz vaadin-framework-0ecb5dcb80121e09d8feaa724ffcf621180de41b.zip