Permalink
Browse files

Selectmenu: Do not double-entity-encode option text

(cherry picked from commit b0e1202)

Closes gh-7544
Fixes gh-7543
  • Loading branch information...
gabrielschulhof committed Jul 4, 2014
1 parent a6aef45 commit 8ba83c0d1a8b13abf8bc9eeab5e5fa35f88d9a2a
@@ -460,10 +460,15 @@ $.widget( "mobile.selectmenu", $.mobile.selectmenu, {
}
parent = option.parentNode;
text = $option.getEncodedText();
anchor = document.createElement( "a" );
classes = [];
// Although using .text() here raises the risk that, when we later paste this into the
// list item we end up pasting possibly malicious things like <script> tags, that risk
// only arises if we do something like $( "<li><a href='#'>" + text + "</a></li>" ). We
// don't do that. We do document.createTextNode( text ) instead, which guarantees that
// whatever we paste in will end up as text, with characters like <, > and & escaped.
text = $option.text();
anchor = document.createElement( "a" );
anchor.setAttribute( "href", "#" );
anchor.appendChild( document.createTextNode( text ) );
@@ -36,6 +36,10 @@
<div id="qunit"></div>
<div id="default" data-nstest-role="page" data-nstest-theme="c">
<select id="encoding-test" data-nstest-native-menu="false">
<option value="1">&lt;script&gt;$( "*" ).css( "background-color", "red" );&lt;/script&gt;</option>
<option value="2">Another option</option>
</select>
<select name="small-select-change-after-close" id="small-select-change-after-close" data-nstest-native-menu="false">
<option value="1">One</option>
<option value="2">Two</option>
@@ -19,6 +19,11 @@
var homeWithSearch = $.mobile.path.parseUrl(location.pathname).pathname + location.search;
test( "No tags are accidentally injected during list building", function() {
deepEqual( $( "#encoding-test-menu > li:first-child > a > script" ).length, 0,
"No script tag has ended up inside the anchor" );
});
module(libName, {
setup: function() {
$.mobile.navigate.history.stack = [];

0 comments on commit 8ba83c0

Please sign in to comment.