MDL-49144 blocks: Sanitise alt and title for block controls
authorAndrew Nicols <andrew@nicols.co.uk>
Tue, 10 Feb 2015 07:04:12 +0000 (15:04 +0800)
committerDan Poltawski <dan@moodle.com>
Mon, 2 Mar 2015 12:09:45 +0000 (12:09 +0000)
lib/javascript-static.js

index b3e1726..8b6af7c 100644 (file)
@@ -597,14 +597,32 @@ M.util.init_block_hider = function(Y, config) {
                     this.set('block', '#'+this.get('id'));
                     var b = this.get('block'),
                         t = b.one('.title'),
-                        a = null;
+                        a = null,
+                        hide,
+                        show;
                     if (t && (a = t.one('.block_action'))) {
-                        var hide = Y.Node.create('<img class="block-hider-hide" tabindex="0" alt="'+config.tooltipVisible+'" title="'+config.tooltipVisible+'" />');
-                        hide.setAttribute('src', this.get('iconVisible')).on('click', this.updateState, this, true);
+                        hide = Y.Node.create('<img />')
+                            .addClass('block-hider-hide')
+                            .setAttrs({
+                                alt:        config.tooltipVisible,
+                                src:        this.get('iconVisible'),
+                                tabindex:   0,
+                                'title':    config.tooltipVisible
+                            });
                         hide.on('keypress', this.updateStateKey, this, true);
-                        var show = Y.Node.create('<img class="block-hider-show" tabindex="0" alt="'+config.tooltipHidden+'" title="'+config.tooltipHidden+'" />');
-                        show.setAttribute('src', this.get('iconHidden')).on('click', this.updateState, this, false);
+                        hide.on('click', this.updateState, this, true);
+
+                        show = Y.Node.create('<img />')
+                            .addClass('block-hider-show')
+                            .setAttrs({
+                                alt:        config.tooltipHidden,
+                                src:        this.get('iconHidden'),
+                                tabindex:   0,
+                                'title':    config.tooltipHidden
+                            });
                         show.on('keypress', this.updateStateKey, this, false);
+                        show.on('click', this.updateState, this, false);
+
                         a.insert(show, 0).insert(hide, 0);
                     }
                 },