fix(vcalendar): escape html of event name (#9387)

Fixed bug with calendar that could run html with a event name.
vuetifyjs · Oct 24, 2019 · 283d601 · 283d601
1 parent 9856ca7
commit 283d601
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/packages/vuetify/src/components/VCalendar/mixins/calendar-with-events.ts b/packages/vuetify/src/components/VCalendar/mixins/calendar-with-events.ts
@@ -10,6 +10,9 @@ import ripple from '../../../directives/ripple'
 // Mixins
 import CalendarBase from './calendar-base'
 
+// Helpers
+import { escapeHTML } from '../../../util/helpers'
+
 // Util
 import props from '../util/props'
 import {
@@ -96,7 +99,7 @@ export default CalendarBase.extend({
       return typeof this.eventName === 'function'
         ? this.eventName as VNameFunction
         : (event, timedEvent) => {
-          const name = event.input[this.eventName as string] as string
+          const name = escapeHTML(event.input[this.eventName as string] as string)
           if (event.start.hasTime) {
             if (timedEvent) {
               const showStart = event.start.hour < 12 && event.end.hour >= 12