escape() instead of String() to prevent XSS and ensure correct formatting

f4930013 · Josh Schmidt · 17c16277 · f4930013
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/pages/_includes/ui/select.html src/pages/_includes/ui/select.html +2 -2

未找到文件。
--- a/src/pages/_includes/ui/select.html
+++ b/src/pages/_includes/ui/select.html
@@ -72,9 +72,9 @@
 				},
 				option: function(data,escape){
 					if( data.customProperties ){
-						return '<div><span class="dropdown-item-indicator">' + data.customProperties + '</span>' + String(data.text) + '</div>';
+						return '<div><span class="dropdown-item-indicator">' + data.customProperties + '</span>' + escape(data.text) + '</div>';
 					}
-					return '<div>' + String(data.text) + '</div>';
+					return '<div>' + escape(data.text) + '</div>';
 				},
 			},
 		}));