mirror of
https://github.com/discourse/discourse.git
synced 2024-12-05 11:46:18 +08:00
0f7b198ca0
The values in Discourse dropdown menus only come from admin-defined strings, not unsanitised end-user input, so this lack of escaping was not exploitable.
11 lines
392 B
Handlebars
11 lines
392 B
Handlebars
<button aria-label={{i18n "select_kit.delete_item" name=itemName}} id="{{id}}-choice" data-value={{itemValue}} data-name={{itemName}} type="button" {{action selectKit.deselect item}} class="btn btn-default selected-choice {{extraClass}}">
|
|
{{d-icon "times"}}
|
|
{{#if (has-block)}}
|
|
{{yield}}
|
|
{{else}}
|
|
<span class="d-button-label">
|
|
{{itemName}}
|
|
</span>
|
|
{{/if}}
|
|
</button>
|