ace.js: use URL encoding when building an URL via string concatenation
Not performing encoding/decoding when traversing logical domains is a security risk. String concatenation is not great, too, but this change is just focused on allowing the implementation of skin support.pull/3475/head
parent
2cc32d7fe9
commit
6c56e7ca7a
|
@ -186,7 +186,7 @@ function Ace2Editor()
|
|||
}
|
||||
for (var i = 0, ii = remoteFiles.length; i < ii; i++) {
|
||||
var file = remoteFiles[i];
|
||||
buffer.push('<link rel="stylesheet" type="text/css" href="' + file + '"\/>');
|
||||
buffer.push('<link rel="stylesheet" type="text/css" href="' + encodeURI(file) + '"\/>');
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue