Avoid XSS by using CSS to keep line breaks intact instead.

This commit is contained in:
Nathan Gray 2013-06-26 14:11:54 +00:00
parent 52933ba6c3
commit 0fa6386b1c
2 changed files with 6 additions and 8 deletions

View File

@ -235,12 +235,7 @@ var et2_textbox_ro = et2_valueWidget.extend([et2_IDetachedDOM],
{
_value = "";
}
else
{
_value = _value.replace(/\n/g,'<br />');
}
// Use html() or the <br /> gets stripped
this.span.html(_value);
this.span.text(_value);
},
/**
* Code for implementing et2_IDetachedDOM

View File

@ -238,6 +238,9 @@ button.et2_button_text:focus, input[type=button]:focus {
.et2_textbox {
resize: none;
}
.et2_textbox_ro {
white-space: pre-wrap;
}
.et2_bold {
font-weight: bold;
@ -678,10 +681,10 @@ ul.et2_vfs {
/**
* Validation
*/
input[required] {
[required] {
background-color: #ffffd0;
}
input.invalid {
.invalid {
border: 1px solid #a6261d;
background-color: #faecec;
}