This repository has been archived by the owner on Mar 6, 2019. It is now read-only.
Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix lack of escaping (and so XSS vuln.) in select2 calls
The invocation of Jquery select2 to provide searchable dropdowns didn't sanitise data coming fom lookup, with the result that any HTML markup it contained, including <script>...</script>, was interpreted. The documentation is difficult to follow, but indications are that the formater functions (at least formatResult and formatSelection), if overriden have to do their own escaping of data as necessary. They are however passed the current global 'escapeMarkup' function as their final parameter.
- Loading branch information
Jon Warbrick
committed
Sep 14, 2016
1 parent
959dece
commit 5e25e47
Showing
4 changed files
with
20 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters