Fix xss bug in multiple select box

forkcms · Mar 23, 2022 · 8e87608 · 8e87608
1 parent c9d0f23
commit 8e87608
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/Backend/Core/Js/jquery/jquery.backend.js b/src/Backend/Core/Js/jquery/jquery.backend.js
@@ -1043,7 +1043,7 @@
         '    <div class="input-group">' +
         '        <select size="1" class="form-control select dontSubmit" id="addValue-' + id + '" name="addValue-' + id + '">'
       for (var i = 0; i < possibleOptions.length; i++) {
-        html += '            <option value="' + $(possibleOptions[i]).attr('value') + '">' + $(possibleOptions[i]).html() + '</option>'
+        html += '            <option value="' + $('<div>').text($(possibleOptions[i]).attr('value')).html() + '">' + $(possibleOptions[i]).text() + '</option>'
       }
 
       html += '        </select>' +