Permalink
Browse files

RenderBuffer now properly escapes non-string attribute values

  • Loading branch information...
1 parent 255bd70 commit f533cb6367bfd37dab06e9fdbbee19c2fb0d8e73 @wagenet wagenet committed Apr 18, 2012
Showing with 7 additions and 6 deletions.
  1. +7 −6 packages/ember-views/lib/system/render_buffer.js
@@ -385,13 +385,14 @@ Ember._RenderBuffer.prototype =
}
},
- _escapeAttribute: function(string) {
+ _escapeAttribute: function(value) {
// Escaping only double quotes is probably sufficient, but it can't hurt to do a few more
- return string.replace(/&/g, '&')
- .replace(/</g, '&lt;')
- .replace(/>/g, '&gt;')
- .replace(/'/g, '&#x27;')
- .replace(/"/g, '&quot;');
+ return value.toString()
+ .replace(/&/g, '&amp;')
+ .replace(/</g, '&lt;')
+ .replace(/>/g, '&gt;')
+ .replace(/'/g, '&#x27;')
+ .replace(/"/g, '&quot;');
}
};

0 comments on commit f533cb6

Please sign in to comment.