Added proper escaping to OptionGroup item icon URLs (#13310)

Change-Id: Id0dea437e04e829567b31df3e9c496cd5adc09b8
author: Juho Nurminen <juho@vaadin.com> 2014-02-03 16:56:31 +0200
committer: Vaadin Code Review <review@vaadin.com> 2014-02-11 11:57:52 +0000
commit: d88e4090a14ef3670232ad1b4a83c7260db36f9c (patch)
tree: 1a25ccf804b01cf68b74708444fe80d0d61f1ed6 /client
parent: 6d8b9e5488ad1fd49b66c7a07a20f96fa2781436 (diff)
download: vaadin-framework-d88e4090a14ef3670232ad1b4a83c7260db36f9c.tar.gz
vaadin-framework-d88e4090a14ef3670232ad1b4a83c7260db36f9c.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/client/src/com/vaadin/client/ui/VOptionGroup.java b/client/src/com/vaadin/client/ui/VOptionGroup.java
index fee1c313f5..fe4ef214cb 100644
--- a/client/src/com/vaadin/client/ui/VOptionGroup.java
+++ b/client/src/com/vaadin/client/ui/VOptionGroup.java
@@ -142,8 +142,9 @@ public class VOptionGroup extends VOptionGroupBase implements FocusHandler,
             String icon = opUidl.getStringAttribute("icon");
             if (icon != null && icon.length() != 0) {
                 String iconUrl = client.translateVaadinUri(icon);
-                itemHtml = "<img src=\"" + iconUrl + "\" class=\""
-                        + Icon.CLASSNAME + "\" alt=\"\" />" + itemHtml;
+                itemHtml = "<img src=\"" + Util.escapeAttribute(iconUrl)
+                        + "\" class=\"" + Icon.CLASSNAME + "\" alt=\"\" />"
+                        + itemHtml;
             }
 
             String key = opUidl.getStringAttribute("key");
author	Juho Nurminen <juho@vaadin.com>	2014-02-03 16:56:31 +0200
committer	Vaadin Code Review <review@vaadin.com>	2014-02-11 11:57:52 +0000
commit	d88e4090a14ef3670232ad1b4a83c7260db36f9c (patch)
tree	1a25ccf804b01cf68b74708444fe80d0d61f1ed6 /client
parent	6d8b9e5488ad1fd49b66c7a07a20f96fa2781436 (diff)
download	vaadin-framework-d88e4090a14ef3670232ad1b4a83c7260db36f9c.tar.gz vaadin-framework-d88e4090a14ef3670232ad1b4a83c7260db36f9c.zip