Permalink
Browse files

BUGFIX Escape HTML in DropdownField and ListboxField

Fixes reflected XSS in Group titles when using
in group selections (e.g. in "New Member" form).
  • Loading branch information...
1 parent 604ede3 commit f8bbc0a7265ca8da74bd1ffd073180a887dfbdeb @chillu chillu committed Jan 4, 2013
Showing with 1 addition and 1 deletion.
  1. +1 −1 templates/forms/DropdownField.ss
View
2 templates/forms/DropdownField.ss
@@ -1,5 +1,5 @@
<select $AttributesHTML>
<% loop Options %>
- <option value="$Value"<% if Selected %> selected="selected"<% end_if %><% if Disabled %> disabled="disabled"<% end_if %>>$Title</option>
+ <option value="$Value.XML"<% if Selected %> selected="selected"<% end_if %><% if Disabled %> disabled="disabled"<% end_if %>>$Title.XML</option>
<% end_loop %>
</select>

0 comments on commit f8bbc0a

Please sign in to comment.