From 259fd6f0dbf07e3b67fcd190fa575980c0998ec8 Mon Sep 17 00:00:00 2001 From: jlukic Date: Mon, 25 Aug 2014 17:11:38 -0400 Subject: [PATCH] Fixes #1033 issue with XSS in popup --- src/definitions/modules/popup.js | 48 ++++++++++++++++++++++++++------ 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/src/definitions/modules/popup.js b/src/definitions/modules/popup.js index 095af202f..340a32ee1 100755 --- a/src/definitions/modules/popup.js +++ b/src/definitions/modules/popup.js @@ -901,17 +901,49 @@ $.fn.popup.settings = { popup : '.ui.popup' }, - template: function(text) { - var html = ''; - if(typeof text !== undefined) { - if(typeof text.title !== undefined && text.title) { - html += '
' + text.title + '
'; + escape: function() { + + }, + + templates: { + escape: function(string) { + var + badChars = /[&<>"'`]/g, + shouldEscape = /[&<>"'`]/, + escape = { + "&": "&", + "<": "<", + ">": ">", + '"': """, + "'": "'", + "`": "`" + }, + escapedChar = function(chr) { + return escape[chr]; + } + ; + if(shouldEscape.test(string)) { + return string.replace(badChars, escapedChar); } - if(typeof text.content !== undefined && text.content) { - html += '
' + text.content + '
'; + return string; + }, + popup: function(text) { + var + html = '', + escape = $.fn.popup.settings.templates.escape + ; + if(typeof text !== undefined) { + if(typeof text.title !== undefined && text.title) { + text.title = escape(text.title); + html += '
' + text.title + '
'; + } + if(typeof text.content !== undefined && text.content) { + text.content = escape(text.content); + html += '
' + text.content + '
'; + } } + return html; } - return html; } };