library-mirrors/jquery-ui
1
0
Fork 0
mirror of https://github.com/jquery/jquery-ui.git synced 2024-11-21 11:04:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Autocomplete: Escape HTML tags in callback name to avoid XSS in demo

Browse Source 
Fixes #15048
This commit is contained in:
Scott González 2016-09-22 07:53:22 -04:00
parent c571d2f234
commit 69e66ea655
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
demos/autocomplete/search.php
View File

@ -586,7 +586,10 @@ foreach ($items as $key=>$value) {
$output = json_encode($result); $output = json_encode($result);
if ($_GET["callback"]) { if ($_GET["callback"]) {
$output = $_GET["callback"] . "($output);"; // Escape special characters to avoid XSS attacks via direct loads of this
// page with a callback that contains HTML. This is a lot easier than validating
// the callback name.
$output = htmlspecialchars($_GET["callback"]) . "($output);";
} }
echo $output; echo $output;