From 26a3c4425334e717f9def61cb68c655014922a76 Mon Sep 17 00:00:00 2001
From: Maya Kokits <hello@mayakokits.com>
Date: Fri, 19 Jun 2015 18:17:07 +0200
Subject: [PATCH] fixed XSS vulnerability in Clearing

.html() executes even encoded scripts.
.innerHTML doesn't.
---
 js/foundation/foundation.clearing.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/js/foundation/foundation.clearing.js b/js/foundation/foundation.clearing.js
index 0e6763ea8..a7d496abd 100644
--- a/js/foundation/foundation.clearing.js
+++ b/js/foundation/foundation.clearing.js
@@ -453,9 +453,9 @@
       var caption = $image.attr('data-caption');
 
       if (caption) {
-        container
-          .html(caption)
-          .show();
+      	var containerPlain = container.get(0);
+      	containerPlain.innerHTML = caption;
+        container.show();
       } else {
         container
           .text('')
-- 
2.47.2