Fix potential XSS in MultiWordSuggestOracle by properly escaping in setDefaultSuggestionsFromText. Review at http://gwt-code-reviews.appspot.com/1630804 Review by: jlabanca@google.com git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@10856 8db76d5a-ed1c-0410-87a9-c151d255dfc7

commit: a5f27fa97dd8b8af8efe1fecd86933b5b4f020d3 [log] [tgz]
author: ehwang@google.com <ehwang@google.com@8db76d5a-ed1c-0410-87a9-c151d255dfc7> Fri Jan 27 16:06:11 2012 +0000
committer: ehwang@google.com <ehwang@google.com@8db76d5a-ed1c-0410-87a9-c151d255dfc7> Fri Jan 27 16:06:11 2012 +0000
tree: 0442afed04ba5d8f305745950eb161f1a57fda75
parent: 2020aed8bd29912671c993f3b78d187598dbb194 [diff]
diff --git a/user/src/com/google/gwt/user/client/ui/MultiWordSuggestOracle.java b/user/src/com/google/gwt/user/client/ui/MultiWordSuggestOracle.java
index daa7ad1..a328ac6 100644
--- a/user/src/com/google/gwt/user/client/ui/MultiWordSuggestOracle.java
+++ b/user/src/com/google/gwt/user/client/ui/MultiWordSuggestOracle.java

@@ -16,6 +16,7 @@
 package com.google.gwt.user.client.ui;
 
 import com.google.gwt.safehtml.shared.SafeHtmlBuilder;
+import com.google.gwt.safehtml.shared.SafeHtmlUtils;
 import com.google.gwt.user.client.rpc.IsSerializable;
 
 import java.util.ArrayList;
@@ -284,7 +285,7 @@
       Collection<String> suggestionList) {
     Collection<Suggestion> accum = new ArrayList<Suggestion>();
     for (String candidate : suggestionList) {
-      accum.add(createSuggestion(candidate, candidate));
+      accum.add(createSuggestion(candidate, SafeHtmlUtils.htmlEscape(candidate)));
     }
     setDefaultSuggestions(accum);
   }
commit	a5f27fa97dd8b8af8efe1fecd86933b5b4f020d3	[log] [tgz]
author	ehwang@google.com <ehwang@google.com@8db76d5a-ed1c-0410-87a9-c151d255dfc7>	Fri Jan 27 16:06:11 2012 +0000
committer	ehwang@google.com <ehwang@google.com@8db76d5a-ed1c-0410-87a9-c151d255dfc7>	Fri Jan 27 16:06:11 2012 +0000
tree	0442afed04ba5d8f305745950eb161f1a57fda75
parent	2020aed8bd29912671c993f3b78d187598dbb194 [diff]