Using htmlEscape

caolan · Feb 12, 2013 · 98f68c3 · 98f68c3
1 parent e9177b7
commit 98f68c3
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/widgets.js b/lib/widgets.js
@@ -1,4 +1,5 @@
 /*jslint node: true */
+var htmlEscape = require('./htmlEscape');
 
 // generates a string for common widget attributes
 var attrs = function (a, needsID) {
@@ -20,7 +21,7 @@ var attrs = function (a, needsID) {
             value = null;
         }
         if (typeof value !== 'undefined' && value !== null) {
-            pairs.push(field + '="' + value + '"');
+            pairs.push(htmlEscape(field) + '="' + htmlEscape(value) + '"');
         }
     });
     return pairs.length > 0 ? ' ' + pairs.join(' ') : '';