Skip to content
Permalink
Browse files Browse the repository at this point in the history
Bug: 14857
Escape user-provided resource name when outputting. Prevents XSS vuln.
  • Loading branch information
mrubinsk committed Sep 26, 2018
1 parent 09d9014 commit 39f7400
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion js/kronolith.js
Expand Up @@ -3322,7 +3322,7 @@ KronolithCore = {
}
$('kronolithCalendarresourcegroupmembers').update();
$H(Kronolith.conf.calendars.resource).each(function(r) {
var o = new Element('option', { value: r.value.id }).update(r.value.name);
var o = new Element('option', { value: r.value.id }).update(r.value.name.escapeHTML());
$('kronolithCalendarresourcegroupmembers').insert(o);
});
},
Expand Down

0 comments on commit 39f7400

Please sign in to comment.