mirror of
https://github.com/Choices-js/Choices.git
synced 2024-05-17 21:16:34 +02:00
Fix xss vulnerability(escape html in input)
This commit is contained in:
parent
b49980d169
commit
38cf04b0d8
|
@ -1,3 +1,4 @@
|
||||||
|
import { stripHTML } from './lib/utils';
|
||||||
|
|
||||||
export const DEFAULT_CLASSNAMES = {
|
export const DEFAULT_CLASSNAMES = {
|
||||||
containerOuter: 'choices',
|
containerOuter: 'choices',
|
||||||
|
@ -62,7 +63,7 @@ export const DEFAULT_CONFIG = {
|
||||||
noChoicesText: 'No choices to choose from',
|
noChoicesText: 'No choices to choose from',
|
||||||
itemSelectText: 'Press to select',
|
itemSelectText: 'Press to select',
|
||||||
uniqueItemText: 'Only unique values can be added.',
|
uniqueItemText: 'Only unique values can be added.',
|
||||||
addItemText: value => `Press Enter to add <b>"${value}"</b>`,
|
addItemText: value => `Press Enter to add <b>"${stripHTML(value)}"</b>`,
|
||||||
maxItemText: maxItemCount => `Only ${maxItemCount} values can be added.`,
|
maxItemText: maxItemCount => `Only ${maxItemCount} values can be added.`,
|
||||||
itemComparer: (choice, item) => (choice === item),
|
itemComparer: (choice, item) => (choice === item),
|
||||||
fuseOptions: {
|
fuseOptions: {
|
||||||
|
|
|
@ -421,15 +421,15 @@ export const isScrolledIntoView = (el, parent, direction = 1) => {
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Remove html tags from a string
|
* Escape html in the string
|
||||||
* @param {String} Initial string/html
|
* @param {String} html Initial string/html
|
||||||
* @return {String} Sanitised string
|
* @return {String} Sanitised string
|
||||||
*/
|
*/
|
||||||
export const stripHTML = function(html) {
|
export const stripHTML = html =>
|
||||||
const el = document.createElement('DIV');
|
html.replace(/&/g, '&')
|
||||||
el.innerHTML = html;
|
.replace(/>/g, '&rt;')
|
||||||
return el.textContent || el.innerText || '';
|
.replace(/</g, '<')
|
||||||
};
|
.replace(/"/g, '"');
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Adds animation to an element and removes it upon animation completion
|
* Adds animation to an element and removes it upon animation completion
|
||||||
|
@ -490,7 +490,7 @@ export const getWidthOfInput = (input) => {
|
||||||
let width = input.offsetWidth;
|
let width = input.offsetWidth;
|
||||||
|
|
||||||
if (value) {
|
if (value) {
|
||||||
const testEl = strToEl(`<span>${value}</span>`);
|
const testEl = strToEl(`<span>${stripHTML(value)}</span>`);
|
||||||
testEl.style.position = 'absolute';
|
testEl.style.position = 'absolute';
|
||||||
testEl.style.padding = '0';
|
testEl.style.padding = '0';
|
||||||
testEl.style.top = '-9999px';
|
testEl.style.top = '-9999px';
|
||||||
|
|
Loading…
Reference in a new issue