diff options
author | Stephen Beaver <sbeaver@netgate.com> | 2016-01-20 11:54:44 -0500 |
---|---|---|
committer | Stephen Beaver <sbeaver@netgate.com> | 2016-01-20 11:54:44 -0500 |
commit | 4979fb6abfcdc93b3286bcbf3d3457e51f15e32d (patch) | |
tree | cff190963fd0ebd3c9f6d8a0be97ee1b9a89f41f /src/usr/local | |
parent | 1ee9fb20a3241e74740cfd278bea458bb8c3e873 (diff) | |
download | pfsense-4979fb6abfcdc93b3286bcbf3d3457e51f15e32d.zip pfsense-4979fb6abfcdc93b3286bcbf3d3457e51f15e32d.tar.gz |
Escape HTML on re-saving separator text
Diffstat (limited to 'src/usr/local')
-rw-r--r-- | src/usr/local/www/firewall_rules.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/usr/local/www/firewall_rules.php b/src/usr/local/www/firewall_rules.php index 1dabf99..7034258 100644 --- a/src/usr/local/www/firewall_rules.php +++ b/src/usr/local/www/firewall_rules.php @@ -885,7 +885,8 @@ events.push(function() { sepinput = '<input type="hidden" name="separator[' + sepnum + '][row]" value="' + seprow + '"></input>'; $('form').append(sepinput); - sepinput = '<input type="hidden" name="separator[' + sepnum + '][text]" value="' + $(this).find('td').text() + '"></input>'; + sepinput = '<input type="hidden" name="separator[' + sepnum + '][text]" value="' + escapeHtml($(this).find('td').text()) + '"></input>'; + alert(sepinput); $('form').append(sepinput); sepinput = '<input type="hidden" name="separator[' + sepnum + '][color]" value="' + $(this).find('td').prop('class') + '"></input>'; $('form').append(sepinput); |