From 0fa6386b1c84caf298e85f84e2d11e7feccb3d63 Mon Sep 17 00:00:00 2001 From: Nathan Gray Date: Wed, 26 Jun 2013 14:11:54 +0000 Subject: [PATCH] Avoid XSS by using CSS to keep line breaks intact instead. --- etemplate/js/et2_widget_textbox.js | 7 +------ etemplate/templates/default/etemplate2.css | 7 +++++-- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/etemplate/js/et2_widget_textbox.js b/etemplate/js/et2_widget_textbox.js index 42ed7b6e52..92d36313f7 100644 --- a/etemplate/js/et2_widget_textbox.js +++ b/etemplate/js/et2_widget_textbox.js @@ -235,12 +235,7 @@ var et2_textbox_ro = et2_valueWidget.extend([et2_IDetachedDOM], { _value = ""; } - else - { - _value = _value.replace(/\n/g,'
'); - } - // Use html() or the
gets stripped - this.span.html(_value); + this.span.text(_value); }, /** * Code for implementing et2_IDetachedDOM diff --git a/etemplate/templates/default/etemplate2.css b/etemplate/templates/default/etemplate2.css index 860293051e..b248e9f3a2 100644 --- a/etemplate/templates/default/etemplate2.css +++ b/etemplate/templates/default/etemplate2.css @@ -238,6 +238,9 @@ button.et2_button_text:focus, input[type=button]:focus { .et2_textbox { resize: none; } +.et2_textbox_ro { + white-space: pre-wrap; +} .et2_bold { font-weight: bold; @@ -678,10 +681,10 @@ ul.et2_vfs { /** * Validation */ -input[required] { +[required] { background-color: #ffffd0; } -input.invalid { +.invalid { border: 1px solid #a6261d; background-color: #faecec; }