prevent delete role xss

2016-01-12 08:14:19 +01:00 · 2016-01-12 08:14:19 +01:00 · e2ac1d1470
parent 60e86656ee
commit e2ac1d1470
1 changed files with 5 additions and 4 deletions
--- a/app/coffee/modules/common/confirm.coffee
+++ b/app/coffee/modules/common/confirm.coffee
@ -95,22 +95,23 @@ class ConfirmService extends taiga.Service
        el = angular.element(lightboxSelector)

        # Render content
-        el.find(".title").html(title)
-        el.find(".subtitle").html(subtitle)
+        el.find(".title").text(title)
+        el.find(".subtitle").text(subtitle)

        if replacement
-            el.find(".replacement").html(replacement)
+            el.find(".replacement").text(replacement)
        else
            el.find(".replacement").remove()

        if warning
-            el.find(".warning").html(warning)
+            el.find(".warning").text(warning)
        else
            el.find(".warning").remove()

        choicesField = el.find(".choices")
        choicesField.html('')
        _.each choices, (value, key) ->
+            value = _.escape(value)
            choicesField.append(angular.element("<option value='#{key}'>#{value}</option>"))

        # Assign event handlers