With .html() on the text for the menu, XSS can be passed through since jQuery calls eval on the html passed through. Changed .html() to .text()

Author: Greg Block

src/jquery.contextMenu.js

@@ -980,7 +980,7 @@ var // currently active contextMenu trigger
                         $t.addClass('context-menu-html not-selectable');
                     } else if (item.type) {
                         $label = $('<label></label>').appendTo($t);
-                        $('<span></span>').html(item._name || item.name).appendTo($label);
+                        $('<span></span>').text(item._name || item.name).appendTo($label);
                         $t.addClass('context-menu-input');
                         opt.hasTypes = true;
                         $.each([opt, root], function(i,k){
@@ -1039,8 +1039,7 @@ var // currently active contextMenu trigger
                             break;
 
                         case 'sub':
-                            // FIXME: shouldn't this .html() be a .text()?
-                            $('<span></span>').html(item._name || item.name).appendTo($t);
+                            $('<span></span>').text(item._name || item.name).appendTo($t);
                             item.appendTo = item.$node;
                             op.create(item, root);
                             $t.data('contextMenu', item).addClass('context-menu-submenu');
@@ -1058,8 +1057,7 @@ var // currently active contextMenu trigger
                                     k.callbacks[key] = item.callback;
                                 }
                             });
-                            // FIXME: shouldn't this .html() be a .text()?
-                            $('<span></span>').html(item._name || item.name || "").appendTo($t);
+                            $('<span></span>').text(item._name || item.name || "").appendTo($t);
                             break;
                     }