Skip to content

Commit c7a7847

Browse files
lmajanolmajano
committed
COLDBOX-237 #resolve
Some HTMLHelper method still need escaping as certain values should never be HTML
1 parent 322e5e7 commit c7a7847

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

system/modules/HTMLHelper/models/HTMLHelper.cfc

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -118,11 +118,11 @@ component extends="coldbox.system.FrameworkSupertype" accessors=true singleton{
118118
// Load Asset
119119
if( findNoCase( ".js", item ) ){
120120
sb.append(
121-
'<script src="#jsPath##item#" #asyncStr##deferStr#></script>'
121+
'<script src="#jsPath##encodeForHTMLAttribute( item )#" #asyncStr##deferStr#></script>'
122122
);
123123
} else {
124124
sb.append(
125-
'<link href="#cssPath##item#" type="text/css" rel="stylesheet" />'
125+
'<link href="#cssPath##encodeForHTMLAttribute( item )#" type="text/css" rel="stylesheet" />'
126126
);
127127
}
128128

@@ -619,15 +619,15 @@ component extends="coldbox.system.FrameworkSupertype" accessors=true singleton{
619619
// Add single source
620620
if( arrayLen(arguments.src) eq 1){
621621
arguments.src[1] = prepareBaseLink(arguments.noBaseURL, arguments.src[1]);
622-
video.append(' src="#arguments.src[1]#" />');
622+
video.append(' src="#encodeForHTMLAttribute( arguments.src[ 1 ] )#" />');
623623
return video.toString();
624624
}
625625

626626
// create source tags
627627
video.append(">");
628628
for(x=1; x lte arrayLen(arguments.src); x++){
629629
arguments.src[ x ] = prepareBaseLink(arguments.noBaseURL, arguments.src[ x ]);
630-
video.append('<source src="#arguments.src[ x ]#"/>');
630+
video.append('<source src="#encodeForHTMLAttribute( arguments.src[ x ] )#"/>');
631631
}
632632
video.append("</video>");
633633

@@ -684,15 +684,15 @@ component extends="coldbox.system.FrameworkSupertype" accessors=true singleton{
684684
// Add single source
685685
if( arrayLen(arguments.src) eq 1){
686686
arguments.src[1] = prepareBaseLink(arguments.noBaseURL, arguments.src[1]);
687-
audio.append(' src="#arguments.src[1]#" />');
687+
audio.append(' src="#encodeForHTMLAttribute( arguments.src[1] )#" />');
688688
return audio.toString();
689689
}
690690

691691
// create source tags
692692
audio.append(">");
693693
for(x=1; x lte arrayLen(arguments.src); x++){
694694
arguments.src[ x ] = prepareBaseLink(arguments.noBaseURL, arguments.src[ x ]);
695-
audio.append('<source src="#arguments.src[ x ]#"/>');
695+
audio.append('<source src="#encodeForHTMLAttribute( arguments.src[ x ] )#"/>');
696696
}
697697
audio.append("</audio>");
698698

@@ -964,7 +964,7 @@ component extends="coldbox.system.FrameworkSupertype" accessors=true singleton{
964964

965965
// create textarea
966966
buffer.append("<textarea");
967-
flattenAttributes(arguments,"value,label,wrapper,labelWrapper,groupWrapper,labelAttrs,labelClass,bind,bindProperty,inputInsideLabel",buffer).append(">#arguments.value#</textarea>");
967+
flattenAttributes(arguments,"value,label,wrapper,labelWrapper,groupWrapper,labelAttrs,labelClass,bind,bindProperty,inputInsideLabel",buffer).append(">#encodeForHTML( arguments.value )#</textarea>");
968968

969969
//wrapper?
970970
wrapTag(buffer,arguments.wrapper,1);

0 commit comments

Comments
 (0)