Navbar: Escape class attributes for some types

The 'link' type (which becomes a navbar item by default) as well as the 'dropdown' type did not escape the class attribute.
grip-on-software · Jun 13, 2023 · d290d44 · d290d44
1 parent 4a65131
commit d290d44
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/Navbar.js b/lib/Navbar.js
@@ -43,7 +43,7 @@ class Navbar {
                     ${this.build(item.items)}
                 </div>`,
             "link": (item) => `
-                <a class="navbar-${item.class || "item"}"
+                <a class="navbar-${html(item.class || "item")}"
                     href="${html(this.link(item.url))}"
                     title="${html(this.locale(item.title))}">
                     ${this.icon(item.icon)}
@@ -76,7 +76,7 @@ class Navbar {
                     ${this.build(item.items)}
                 </div>`,
             "dropdown": (item) => `
-                <div class="navbar-item has-dropdown is-hoverable ${item.class}">
+                <div class="navbar-item has-dropdown is-hoverable ${html(item.class)}">
                     ${this.build([_.assign({"type": "link", "class": "link"}, item.link)])}
                     <div class="navbar-dropdown is-boxed" ${typeof item.id !== "undefined" ? `id="${html(item.id)}"` : ''}>
                         ${this.build(item.items)}