-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Normal
-
Affects Version/s: 5.0.10
-
Component/s: None
-
None
Follow up on ZK-676
If tooltiptext attribute is binded in a zul to an HTML string, HTML get's escaped with $amp;gt;, <, etc.
If, however, it's set on runtime, it get's displayed correctly.
Say string is like this: foobar"><script>alert("Hi!")</script><!--
If tooltiptext is binded to it, it get's rendered as
foobar"><script>alert("Hi!")</script><!--
If it's set on runtime, this is the result:
foobar"><script>alert("Hi!")</script><!--
Preferably, it should always be the latter result.