- fixed XSS vulnerability in select2 usage

Marius Burkard · Marius Burkard · commit 2e2f1dc4cf29 · 2017-12-29T14:09:42.000+01:00
diff --git a/interface/web/themes/default/assets/javascripts/ispconfig.js b/interface/web/themes/default/assets/javascripts/ispconfig.js
@@ -103,13 +103,13 @@ var ISPConfig = {
 				width: 'element',
 				selectOnBlur: true,
 				allowClear: true,
-				formatResult: function(o) {
-					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + o.text + '</span>';
-					else return o.text;
+				formatResult: function(o, cont, qry, escapeMarkup) {
+					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else return escapeMarkup(o.text);
 				},
-				formatSelection: function(o) {
-					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + o.text + '</span>';
-					else return o.text;
+				formatSelection: function(o, cont, escapeMarkup) {
+					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else return escapeMarkup(o.text);
 				}
 			}).on('change', function(e) {
 				if ($("#pageForm .table #Filter").length > 0) {
