Skip to content

Commit

Permalink
With .html() on the text for the menu, XSS can be passed through sinc…
Browse files Browse the repository at this point in the history 
…e jQuery calls eval on the html passed through. Changed .html() to .text()
  • Loading branch information
Greg Block committed Sep 13, 2014
1 parent 8d0de4d commit f3137f2
Showing 1 changed file with 3 additions and 5 deletions.
8 changes: 3 additions & 5 deletions src/jquery.contextMenu.js
View file
Expand Up @@ -980,7 +980,7 @@ var // currently active contextMenu trigger
$t.addClass('context-menu-html not-selectable');
} else if (item.type) {
$label = $('<label></label>').appendTo($t);
$('<span></span>').html(item._name || item.name).appendTo($label);
$('<span></span>').text(item._name || item.name).appendTo($label);
$t.addClass('context-menu-input');
opt.hasTypes = true;
$.each([opt, root], function(i,k){
Expand Down Expand Up @@ -1039,8 +1039,7 @@ var // currently active contextMenu trigger
break;

case 'sub':
// FIXME: shouldn't this .html() be a .text()?
$('<span></span>').html(item._name || item.name).appendTo($t);
$('<span></span>').text(item._name || item.name).appendTo($t);
item.appendTo = item.$node;
op.create(item, root);
$t.data('contextMenu', item).addClass('context-menu-submenu');
Expand All @@ -1058,8 +1057,7 @@ var // currently active contextMenu trigger
k.callbacks[key] = item.callback;
}
});
// FIXME: shouldn't this .html() be a .text()?
$('<span></span>').html(item._name || item.name || "").appendTo($t);
$('<span></span>').text(item._name || item.name || "").appendTo($t);
break;
}

Expand Down

0 comments on commit f3137f2

Please sign in to comment.