Use jQuery's text() method for proper escaping when inserting data.label string

2026-04-07 03:00:20 -04:00 · 2019-04-30 17:33:26 -05:00
parent 5e8bc204c1
commit a5a0f23c3a
5 changed files with 5 additions and 5 deletions
--- a/inst/www/shared/shiny.js
+++ b/inst/www/shared/shiny.js
@@ -4338,7 +4338,7 @@ function _defineProperty(obj, key, value) { if (key in obj) { Object.definePrope
        if (hasLabelTag) {
          labelTag.text(data.label);
        } else {
-          $('<label for="' + $escape(el.id) + '">' + data.label + '</label>').insertBefore(el);
+          $('<label for="' + $escape(el.id) + '"></label>').text(data.label).insertBefore(el);
        }
      } else {

--- a/inst/www/shared/shiny.js.map
+++ b/inst/www/shared/shiny.js.map
--- a/inst/www/shared/shiny.min.js
+++ b/inst/www/shared/shiny.min.js
--- a/inst/www/shared/shiny.min.js.map
+++ b/inst/www/shared/shiny.min.js.map
--- a/srcjs/input_binding_text.js
+++ b/srcjs/input_binding_text.js
@@ -40,7 +40,7 @@ $.extend(textInputBinding, {
      if (hasLabelTag) {
        labelTag.text(data.label);
      } else {
-        $('<label for="' + $escape(el.id) + '">' + data.label + '</label>').insertBefore(el);
+        $('<label for="' + $escape(el.id) + '"></label>').text(data.label).insertBefore(el);
      }

    } else {