Commit dc2be10a authored by alexpott's avatar alexpott

Issue #2567673 by joelpittet: Escaped markup with $.text() injected into a tag will cause XSS

parent df7ced55
......@@ -291,7 +291,7 @@
*/
Drupal.viewsUi.AddItemForm.prototype.handleCheck = function (event) {
var $target = $(event.target);
var label = $.trim($target.next().text());
var label = $.trim($target.next().html());
// Add/remove the checked item to the list.
if ($target.is(':checked')) {
this.$selected_div.show().css('display', 'block');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment