From: arno Date: Thu, 20 Aug 2009 10:14:05 +0000 (+0200) Subject: avoid html injection in item title X-Git-Tag: v0.3b_thomas~6 X-Git-Url: https://dev.renevier.net/?a=commitdiff_plain;ds=inline;h=441da3baad4720c4ff62f2b6eda1cc6af08ab1b8;p=syp.git avoid html injection in item title --- diff --git a/js/syp.js b/js/syp.js index a7586ca..8ebc302 100644 --- a/js/syp.js +++ b/js/syp.js @@ -212,8 +212,9 @@ var SYP = { } var contentHTML; if (feature.cluster[0].attributes.name) { + // escaping name is necessary because it's not enclosed in another html tag. contentHTML = "

" + - feature.cluster[0].attributes.name + + SYP.Utils.escapeHTML(feature.cluster[0].attributes.name) + "

" + feature.cluster[0].attributes.description; } else { @@ -384,6 +385,18 @@ var SYP = { } div.style.display = "block"; div.appendChild(textNode); + }, + + escapeHTML: function (str) { + if (!str) { + return ""; + } + return str. + replace(/&/gm, '&'). + replace(/'/gm, '''). + replace(/"/gm, '"'). + replace(/>/gm, '>'). + replace(/