X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=js%2FCommon.js;h=47c6e48b18e095dd3950eaa92d0d0e7e034f8ca0;hb=f86965934c7d4bbd2953e72abcd2be6e6b095bf7;hp=25e228b594c3d41cda2825aa5d98fef43099e178;hpb=08ff628c6d369dc380b56d63a917f5e9f47adc7e;p=civicrm-core.git diff --git a/js/Common.js b/js/Common.js index 25e228b594..47c6e48b18 100644 --- a/js/Common.js +++ b/js/Common.js @@ -1598,6 +1598,25 @@ if (!CRM.vars) CRM.vars = {}; return (yiq >= 128) ? 'black' : 'white'; }; + // based on https://github.com/janl/mustache.js/blob/master/mustache.js + // If you feel the need to use this function, consider whether assembling HTML + // via DOM might be a cleaner approach rather than using string concatenation. + CRM.utils.escapeHtml = function(string) { + var entityMap = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''', + '/': '/', + '`': '`', + '=': '=' + }; + return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) { + return entityMap[s]; + }); + } + // CVE-2015-9251 - Prevent auto-execution of scripts when no explicit dataType was provided $.ajaxPrefilter(function(s) { if (s.crossDomain) {