Permalink
Browse files

Escape tooltips. HTML should not be rendered but displayed.

This prevents JS injection.
  • Loading branch information...
1 parent 51376b0 commit 4414527a0515eb880f06c3815afdbe454c041232 @jone jone committed Jun 14, 2012
Showing with 9 additions and 3 deletions.
  1. +4 −2 docs/HISTORY.txt
  2. +5 −1 ftw/tooltip/browser/tooltip_template.js
View
@@ -4,7 +4,9 @@ Changelog
1.0.4 (unreleased)
------------------
-- Nothing changed yet.
+- Escape tooltips. HTML should not be rendered but displayed.
+ This prevents JS injection.
+ [jone]
1.0.3 (2012-05-09)
@@ -39,4 +41,4 @@ Changelog
----------------
- Init release
- [mathias.leimgruber]
+ [mathias.leimgruber]
@@ -9,6 +9,10 @@ function ShowTooltip(item){
$this.attr('title', item.text);
}
if ($this.attr('title')){
+ /* escape text for prohibiting JS injection */
+ var title = $('<div/>').text($this.attr('title')).html();
+ $this.attr('title', title);
+
var customconfig = <span tal:replace="structure view/get_custom_config" />;
var settings = jq.extend({
tipClass:'',
@@ -37,4 +41,4 @@ jq(function(){
});
});
-</tal:def>
+</tal:def>

0 comments on commit 4414527

Please sign in to comment.