From 4ec786bb4743f67a35a634c1bf43b13d3d3b39a9 Mon Sep 17 00:00:00 2001
From: Shawn M Moore <shawn@bestpractical.com>
Date: Tue, 28 Jul 2015 19:41:44 +0000
Subject: [PATCH] Escape principal name as we insert it into the DOM

jQuery's text() setter method escapes the passed-in content. Using the original
html() leaves us vulnerable to an XSS injection attack. This resolves
CVE-2015-5475.
---
 share/html/NoAuth/js/util.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/share/html/NoAuth/js/util.js
+++ b/share/html/NoAuth/js/util.js
@@ -331,7 +331,7 @@ function toggle_addprincipal_validity(in
 
 function update_addprincipal_title(title) {
     var h3 = jQuery("#acl-AddPrincipal h3");
-    h3.html( h3.text().replace(/: .*$/,'') + ": " + title );
+    h3.text( h3.text().replace(/: .*$/,'') + ": " + title );
 }
 
 // when a value is selected from the autocompleter
