Commit fcdfc46a authored by markcarver's avatar markcarver

Issue #2999163 by markcarver, Gomez_in_the_South: XSS vulnerability in bootstrap.js

Signed-off-by: markcarver's avatarMark Carver <mark.carver@me.com>
parent ef6f5df7
......@@ -10,6 +10,8 @@ var Drupal = Drupal || {};
(function($, Drupal){
"use strict";
var $document = $(document);
Drupal.behaviors.bootstrap = {
attach: function(context) {
// Provide some Bootstrap tab/Drupal integration.
......@@ -84,7 +86,7 @@ var Drupal = Drupal || {};
// Popover autoclose.
if (settings.bootstrap.popoverOptions.triggerAutoclose) {
var $currentPopover = null;
$(document)
$document
.on('show.bs.popover', '[data-toggle=popover]', function () {
var $trigger = $(this);
var popover = $trigger.data('bs.popover');
......@@ -122,7 +124,8 @@ var Drupal = Drupal || {};
}
// Retrieve content from a target element.
var $target = $(options.target || $element.is('a[href^="#"]') && $element.attr('href')).clone();
var target = options.target || $element.is('a[href^="#"]') && $element.attr('href');
var $target = $document.find(target).clone();
if (!options.content && $target[0]) {
$target.removeClass('element-invisible hidden').removeAttr('aria-hidden');
options.content = $target.wrap('<div/>').parent()[options.html ? 'html' : 'text']() || '';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment