Permalink
Browse files

Selectmenu: Do not double-entity-encode option text

(cherry picked from commit b0e1202)

Closes gh-7544
Fixes gh-7543
  • Loading branch information...
1 parent a6aef45 commit 8ba83c0d1a8b13abf8bc9eeab5e5fa35f88d9a2a @gabrielschulhof gabrielschulhof committed Jul 4, 2014
@@ -460,10 +460,15 @@ $.widget( "mobile.selectmenu", $.mobile.selectmenu, {
}
parent = option.parentNode;
- text = $option.getEncodedText();
- anchor = document.createElement( "a" );
classes = [];
+ // Although using .text() here raises the risk that, when we later paste this into the
+ // list item we end up pasting possibly malicious things like <script> tags, that risk
+ // only arises if we do something like $( "<li><a href='#'>" + text + "</a></li>" ). We
+ // don't do that. We do document.createTextNode( text ) instead, which guarantees that
+ // whatever we paste in will end up as text, with characters like <, > and & escaped.
+ text = $option.text();
+ anchor = document.createElement( "a" );
anchor.setAttribute( "href", "#" );
anchor.appendChild( document.createTextNode( text ) );
@@ -36,6 +36,10 @@
<div id="qunit"></div>
<div id="default" data-nstest-role="page" data-nstest-theme="c">
+ <select id="encoding-test" data-nstest-native-menu="false">
+ <option value="1">&lt;script&gt;$( "*" ).css( "background-color", "red" );&lt;/script&gt;</option>
+ <option value="2">Another option</option>
+ </select>
<select name="small-select-change-after-close" id="small-select-change-after-close" data-nstest-native-menu="false">
<option value="1">One</option>
<option value="2">Two</option>
@@ -19,6 +19,11 @@
var homeWithSearch = $.mobile.path.parseUrl(location.pathname).pathname + location.search;
+ test( "No tags are accidentally injected during list building", function() {
+ deepEqual( $( "#encoding-test-menu > li:first-child > a > script" ).length, 0,
+ "No script tag has ended up inside the anchor" );
+ });
+
module(libName, {
setup: function() {
$.mobile.navigate.history.stack = [];

0 comments on commit 8ba83c0

Please sign in to comment.