Ticket #2529231 (closed defect)


Jenny Donnelly
Opened: 12/22/10
Last modified: 04/13/11
Status: closed
Type: defect
Resolution: fixed


Satyen Desai
Target Release: 2.9.0
Priority: P3 (normal)
Summary: Potential security issue should be documented: addItem() accepts HTML, not text

Originally filed in bug #2529228.

The addItem() method accepts HTML but documentation says it accepts text. This is a security issue for implementers who are not aware they need to scrub HTML.

For the related AutoComplete issue, I am updating the documentation to be clear that HTML is passed through as-is and also providing an alternative text-formatting function that scrubs incoming HTML.

Type: defect Observed in Version: development master
Component: Menu Severity: S3 (normal)
Assigned To: Satyen Desai Target Release: 2.9.0
Location: Library Code Priority: P3 (normal)
Tags: Relates To: #2529228
Browsers: N/A
Test Information:

Change History

Satyen Desai

YUI Developer

Posted: 12/22/10
  • milestone changed to 2.9.0
  • status changed from new to accepted

Jenny Donnelly

YUI Developer

Posted: 02/15/11
  • milestone changed from 2.9.0 to 2.8.3
  • status changed from accepted to checkedin

Commit b6f0276b. 2.8.3 and merged to master.


YUI Developer

Posted: 04/13/11
  • milestone changed from 2.8.3 to 2.9.0


YUI Developer

Posted: 04/13/11
  • resolution changed to fixed
  • status changed from checkedin to closed