Skip to content

Commit f3137f2

Browse files
author
Greg Block
committed
With .html() on the text for the menu, XSS can be passed through since jQuery calls eval on the html passed through. Changed .html() to .text()
1 parent 8d0de4d commit f3137f2

File tree

1 file changed

+3
-5
lines changed

1 file changed

+3
-5
lines changed

src/jquery.contextMenu.js

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -980,7 +980,7 @@ var // currently active contextMenu trigger
980980
$t.addClass('context-menu-html not-selectable');
981981
} else if (item.type) {
982982
$label = $('<label></label>').appendTo($t);
983-
$('<span></span>').html(item._name || item.name).appendTo($label);
983+
$('<span></span>').text(item._name || item.name).appendTo($label);
984984
$t.addClass('context-menu-input');
985985
opt.hasTypes = true;
986986
$.each([opt, root], function(i,k){
@@ -1039,8 +1039,7 @@ var // currently active contextMenu trigger
10391039
break;
10401040

10411041
case 'sub':
1042-
// FIXME: shouldn't this .html() be a .text()?
1043-
$('<span></span>').html(item._name || item.name).appendTo($t);
1042+
$('<span></span>').text(item._name || item.name).appendTo($t);
10441043
item.appendTo = item.$node;
10451044
op.create(item, root);
10461045
$t.data('contextMenu', item).addClass('context-menu-submenu');
@@ -1058,8 +1057,7 @@ var // currently active contextMenu trigger
10581057
k.callbacks[key] = item.callback;
10591058
}
10601059
});
1061-
// FIXME: shouldn't this .html() be a .text()?
1062-
$('<span></span>').html(item._name || item.name || "").appendTo($t);
1060+
$('<span></span>').text(item._name || item.name || "").appendTo($t);
10631061
break;
10641062
}
10651063

0 commit comments

Comments
 (0)