Skip to content

Commit f400810

Browse files
rvanlieshoutrvanlieshout
committed
html() -> text()
1 parent 0c041be commit f400810

File tree

3 files changed

+14
-5
lines changed

3 files changed

+14
-5
lines changed

README.md

+4
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,10 @@ simple app that loads Bootstrap and this gem.
9393

9494
## Changelog
9595

96+
### 2.0.2 (January 18, 2022)
97+
98+
* BREAKING: Resolved possible XSS by using .text() over .html()
99+
96100
### 2.0.1 (January 14, 2018)
97101

98102
* [(eirvandelden)](https://github.com/eirvandelden) [Bootstrap 4 version is stored in Tooltip.VERSION](https://github.com/bluerail/twitter-bootstrap-rails-confirm/pull/38)

lib/twitter-bootstrap-rails-confirm/version.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ module Twitter
22
module Bootstrap
33
module Rails
44
module Confirm
5-
VERSION = "2.0.1"
5+
VERSION = "2.0.2"
66
end
77
end
88
end

vendor/assets/javascripts/twitter/bootstrap/rails/confirm.js

+9-4
Original file line numberDiff line numberDiff line change
@@ -42,12 +42,17 @@
4242
$dialog.addClass("fade");
4343
}
4444

45-
$dialog.find(".modal-header .modal-title").html(element.data("confirm-title") || $.fn.twitter_bootstrap_confirmbox.defaults.title || window.top.location.origin);
45+
$dialog.find(".modal-header .modal-title").text(element.data("confirm-title") || $.fn.twitter_bootstrap_confirmbox.defaults.title || window.top.location.origin);
4646

47-
$dialog.find(".modal-body").html(message.toString().replace(/\n/g, "<br />"));
47+
var dialog_body = $dialog.find(".modal-body");
48+
var paragraphs = message.toString().split(/\n/);
49+
dialog_body.html('');
50+
for (var paragraph_index in paragraphs) {
51+
$("<p></p>").appendTo(dialog_body).text(paragraphs[paragraph_index]);
52+
}
4853

4954
var cancel_buton = $("<a />", { href: "#", "data-dismiss": "modal" });
50-
cancel_buton.html(element.data("confirm-cancel") || $.fn.twitter_bootstrap_confirmbox.defaults.cancel);
55+
cancel_buton.text(element.data("confirm-cancel") || $.fn.twitter_bootstrap_confirmbox.defaults.cancel);
5156
cancel_buton.addClass($.fn.twitter_bootstrap_confirmbox.defaults.cancel_class);
5257
cancel_buton.addClass(element.data("confirm-cancel-class") || (bootstrap_version === 4 ? "btn-secondary" : void 0) || "btn-default");
5358
cancel_buton.click(function(event) {
@@ -57,7 +62,7 @@
5762
$dialog.find(".modal-footer").append(cancel_buton);
5863

5964
var confirm_button = $("<a />", { href: "#" });
60-
confirm_button.html(element.data("confirm-proceed") || $.fn.twitter_bootstrap_confirmbox.defaults.proceed);
65+
confirm_button.text(element.data("confirm-proceed") || $.fn.twitter_bootstrap_confirmbox.defaults.proceed);
6166
confirm_button.addClass($.fn.twitter_bootstrap_confirmbox.defaults.proceed_class);
6267
confirm_button.addClass(element.data("confirm-proceed-class") || "btn-primary");
6368
confirm_button.click(function(event) {

0 commit comments

Comments
 (0)