fixed XSS vulnerability in Clearing

.html() executes even encoded scripts.
.innerHTML doesn't.

diff --git a/js/foundation/foundation.clearing.js b/js/foundation/foundation.clearing.js
index 0e6763ea80b95bb2b13ce2028967900439cfc60f..a7d496abdb0cf5dda3f5d9679787e81631e7640c 100644 (file)
--- a/js/foundation/foundation.clearing.js
+++ b/js/foundation/foundation.clearing.js
@@ -453,9 +453,9 @@
       var caption = $image.attr('data-caption');
 
       if (caption) {
-        container
-          .html(caption)
-          .show();
+       var containerPlain = container.get(0);
+       containerPlain.innerHTML = caption;
+        container.show();
       } else {
         container
           .text('')