N°931 Fix XSS in console.

2026-04-24 02:58:43 +02:00 · 2018-09-28 12:08:14 +02:00
parent 46dee2919e
commit 333c51b0f9
2 changed files with 4 additions and 3 deletions
--- a/application/itopwebpage.class.inc.php
+++ b/application/itopwebpage.class.inc.php
@@ -265,8 +265,9 @@ EOF
 	$('.attribute-set-item').each(function(){
 	    $(this).qtip({
 	       content: {
+	       	 // Encoding only title as the content is already sanitized by the HTML attribute.
 	         text: $(this).attr('data-description'),
-	         title: { text: $(this).attr('data-label')},
+	         title: { text: $('<div/>').text($(this).attr('data-label')).html()},
 	       },
 	       show: { delay: 300, when: 'mouseover' },
 	       hide: { delay: 140, when: 'mouseout', fixed: true },