From 7f3cc6428c61dde8afbbe4ba6f7a50728af2449a Mon Sep 17 00:00:00 2001 From: Byron Jones Date: Tue, 12 May 2015 11:20:37 +0800 Subject: Bug 1163393: XSS in the new jQuery autocomplete code r=dkl,a=glob --- js/field.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'js') diff --git a/js/field.js b/js/field.js index f55852671..5a48db471 100644 --- a/js/field.js +++ b/js/field.js @@ -844,8 +844,12 @@ $(function() { }; }, formatResult: function(suggestion, currentValue) { - return suggestion.data.name === '' ? - suggestion.data.login : suggestion.data.name + ' (' + suggestion.data.login + ')'; + return (suggestion.data.name === '' ? + suggestion.data.login : suggestion.data.name + ' (' + suggestion.data.login + ')') + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"'); }, onSearchStart: function(params) { var that = $(this); -- cgit v1.2.3-24-g4f1b