BUGFIX Escape HTML in DropdownField and ListboxField

Fixes reflected XSS in Group titles when using in group selections (e.g. in "New Member" form).
2024-10-22 12:05:37 +00:00 · 2013-01-04 18:09:39 +01:00 · 2013-01-04 18:09:39 +01:00 · f8bbc0a726
commit f8bbc0a726
parent 604ede30a4
1 changed files with 1 additions and 1 deletions
--- a/templates/forms/DropdownField.ss
+++ b/templates/forms/DropdownField.ss
@ -1,5 +1,5 @@
 <select $AttributesHTML>
 <% loop Options %>
-	<option value="$Value"<% if Selected %> selected="selected"<% end_if %><% if Disabled %> disabled="disabled"<% end_if %>>$Title</option>
+	<option value="$Value.XML"<% if Selected %> selected="selected"<% end_if %><% if Disabled %> disabled="disabled"<% end_if %>>$Title.XML</option>
 <% end_loop %>
 </select>