From 2e2f1dc4cf296d0ff8593abb403eb85ad89535de Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 14:09:42 +0100
Subject: [PATCH] - fixed XSS vulnerability in select2 usage

---
 .../themes/default/assets/javascripts/ispconfig.js   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/interface/web/themes/default/assets/javascripts/ispconfig.js b/interface/web/themes/default/assets/javascripts/ispconfig.js
index fcd5167a8..e18bd20f5 100644
--- a/interface/web/themes/default/assets/javascripts/ispconfig.js
+++ b/interface/web/themes/default/assets/javascripts/ispconfig.js
@@ -103,13 +103,13 @@ var ISPConfig = {
 				width: 'element',
 				selectOnBlur: true,
 				allowClear: true,
-				formatResult: function(o) {
-					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + o.text + '</span>';
-					else return o.text;
+				formatResult: function(o, cont, qry, escapeMarkup) {
+					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else return escapeMarkup(o.text);
 				},
-				formatSelection: function(o) {
-					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + o.text + '</span>';
-					else return o.text;
+				formatSelection: function(o, cont, escapeMarkup) {
+					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else return escapeMarkup(o.text);
 				}
 			}).on('change', function(e) {
 				if ($("#pageForm .table #Filter").length > 0) {
-- 
GitLab