Skip to content
Snippets Groups Projects
Commit cfe219fb authored by Robin Appelman's avatar Robin Appelman
Browse files

fix potential xss in multiselect

parent 344299a0
Branches
No related tags found
No related merge requests found
...@@ -57,8 +57,11 @@ ...@@ -57,8 +57,11 @@
element=$(element); element=$(element);
var item=element.val(); var item=element.val();
var id='ms'+multiSelectId+'-option-'+item; var id='ms'+multiSelectId+'-option-'+item;
var input=$('<input id="'+id+'" type="checkbox"/>'); var input=$('<input type="checkbox"/>');
var label=$('<label for="'+id+'">'+item+'</label>'); input.attr('id',id);
var label=$('<label/>');
label.attr('for',id);
label.text(item);
if(settings.checked.indexOf(item)!=-1 || checked){ if(settings.checked.indexOf(item)!=-1 || checked){
input.attr('checked',true); input.attr('checked',true);
} }
...@@ -130,7 +133,10 @@ ...@@ -130,7 +133,10 @@
li.text('+ '+settings.createText); li.text('+ '+settings.createText);
li.before(createItem(this)); li.before(createItem(this));
var select=button.parent().next(); var select=button.parent().next();
select.append($('<option selected="selected" value="'+$(this).val()+'">'+$(this).val()+'</option>')); var option=$('<option selected="selected"/>');
option.attr('value',$(this).val());
option.text($(this).val());
select.append(optione);
li.prev().children('input').trigger('click'); li.prev().children('input').trigger('click');
button.parent().data('preventHide',false); button.parent().data('preventHide',false);
if(settings.createCallback){ if(settings.createCallback){
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment