Unsafe inserting of new values

AnanthaKN / jquery-in-place-editor

Automatically exported from code.google.com/p/jquery-in-place-editor

Other

0 stars 0 forks source link

What steps will reproduce the problem?
1. Run inplace editor.
2. Type something like - <img 
src="http://www.google.com/images/logos/ps_logo2.png" onload=alert(1337)>
3. Submit changes.

What is the expected output? What do you see instead?
The update should be safe, with properly escaped html entities.
But Firefox (3.x, 4.0) browser will fire an alert dialog.
See also - 
http://stackoverflow.com/questions/1147359/jquery-decode-html-entities/2419664#2
419664

What version of the product are you using? On what operating system?
2.2.1

Please provide any additional information below.

Original issue reported on code.google.com by maxim.av...@gmail.com on 26 Mar 2011 at 8:13

As a partial workaround to this, you can do two things: 1. Use a callback and return the escaped version by returning $('<div/>').text(entered_text).html(); 2. Set the saving_text value to something. If you don't set this, the new html will get put in the DOM anyway just before your escaped version.

AnanthaKN / jquery-in-place-editor

Unsafe inserting of new values #89