From: Maya Kokits <hello@mayakokits.com>
Date: Fri, 19 Jun 2015 16:17:07 +0000 (+0200)
Subject: fixed XSS vulnerability in Clearing
X-Git-Tag: v5.5.3~59^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=refs%2Fpull%2F6640%2Fhead;p=thirdparty%2Ffoundation%2Ffoundation-sites.git

fixed XSS vulnerability in Clearing

.html() executes even encoded scripts.
.innerHTML doesn't.
---

diff --git a/js/foundation/foundation.clearing.js b/js/foundation/foundation.clearing.js
index 0e6763ea8..a7d496abd 100644
--- a/js/foundation/foundation.clearing.js
+++ b/js/foundation/foundation.clearing.js
@@ -453,9 +453,9 @@
       var caption = $image.attr('data-caption');
 
       if (caption) {
-        container
-          .html(caption)
-          .show();
+      	var containerPlain = container.get(0);
+      	containerPlain.innerHTML = caption;
+        container.show();
       } else {
         container
           .text('')