]> git.ipfire.org Git - thirdparty/foundation/foundation-sites.git/commitdiff
projects / thirdparty / foundation / foundation-sites.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 26b3159)
Read title value as text instead of HTML 7359/head
authorTrevor Bramble <inbox@trevorbramble.com>
Thu, 3 Dec 2015 02:08:00 +0000 (18:08 -0800)
committerTrevor Bramble <inbox@trevorbramble.com>
Thu, 3 Dec 2015 02:08:00 +0000 (18:08 -0800)
Using `.html` when grabbing the `title` value allows it to be evaluated by JavaScript, a potential security loophole.

js/foundation/foundation.tooltip.js patch | blob | blame | history

diff --git a/js/foundation/foundation.tooltip.js b/js/foundation/foundation.tooltip.js
index d6cb3f638c4455908890bbced139b8a635bb42ac..e5cba11f381d317ddd22da38c76aebc0292ca93a 100644 (file)
--- a/js/foundation/foundation.tooltip.js
+++ b/js/foundation/foundation.tooltip.js
@@ -194,7 +194,7 @@
         tip_template = window[settings.tip_template];
       }
 
-      var $tip = $(tip_template(this.selector($target), $('<div></div>').html($target.attr('title')).html())),
+      var $tip = $(tip_template(this.selector($target), $('<div></div>').html($target.attr('title')).text())),
           classes = this.inheritable_classes($target);
 
       $tip.addClass(classes).appendTo(settings.append_to);
Mirror of https://github.com/foundation/foundation-sites.git