discourse/app/assets/javascripts/select-kit/addon/templates/components/selected-choice.hbs
David Taylor 0f7b198ca0
FIX: Ensure values are escaped in select-kit dropdowns (#16576)
The values in Discourse dropdown menus only come from admin-defined strings, not unsanitised end-user input, so this lack of escaping was not exploitable.
2022-04-28 08:52:29 +01:00

11 lines
392 B
Handlebars

<button aria-label={{i18n "select_kit.delete_item" name=itemName}} id="{{id}}-choice" data-value={{itemValue}} data-name={{itemName}} type="button" {{action selectKit.deselect item}} class="btn btn-default selected-choice {{extraClass}}">
{{d-icon "times"}}
{{#if (has-block)}}
{{yield}}
{{else}}
<span class="d-button-label">
{{itemName}}
</span>
{{/if}}
</button>