From f0fa05e0157961128892a50fe022d94fa682e89c Mon Sep 17 00:00:00 2001 From: Akiyah Date: Sun, 5 Jan 2014 02:07:25 +0900 Subject: [PATCH] fix XSS in labels --- plugins/legend.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/plugins/legend.js b/plugins/legend.js index 66408b6..2ff9398 100644 --- a/plugins/legend.js +++ b/plugins/legend.js @@ -120,6 +120,10 @@ var calculateEmWidthInDiv = function(div) { return oneEmWidth; }; +var escapeHTML = function(str) { + return str.replace(/&/g, "&").replace(/"/g, """).replace(//g, ">"); +}; + legend.prototype.select = function(e) { var xValue = e.selectedX; var points = e.selectedPoints; @@ -208,7 +212,7 @@ generateLegendHTML = function(g, x, sel_points, oneEmWidth) { strokePattern = g.getOption("strokePattern", labels[i]); dash = generateLegendDashHTML(strokePattern, series.color, oneEmWidth); html += "" + - dash + " " + labels[i] + ""; + dash + " " + escapeHTML(labels[i]) + ""; } return html; } @@ -245,7 +249,7 @@ generateLegendHTML = function(g, x, sel_points, oneEmWidth) { // TODO(danvk): use a template string here and make it an attribute. html += "" + " " + - pt.name + ": " + yval + ""; + escapeHTML(pt.name) + ": " + yval + ""; } return html; }; -- 2.7.4