mirror of
https://github.com/Choices-js/Choices.git
synced 2024-06-08 08:52:19 +02:00
Fix xss vulnerability(escape html in input)
This commit is contained in:
parent
b49980d169
commit
38cf04b0d8
|
@ -1,3 +1,4 @@
|
|||
import { stripHTML } from './lib/utils';
|
||||
|
||||
export const DEFAULT_CLASSNAMES = {
|
||||
containerOuter: 'choices',
|
||||
|
@ -62,7 +63,7 @@ export const DEFAULT_CONFIG = {
|
|||
noChoicesText: 'No choices to choose from',
|
||||
itemSelectText: 'Press to select',
|
||||
uniqueItemText: 'Only unique values can be added.',
|
||||
addItemText: value => `Press Enter to add <b>"${value}"</b>`,
|
||||
addItemText: value => `Press Enter to add <b>"${stripHTML(value)}"</b>`,
|
||||
maxItemText: maxItemCount => `Only ${maxItemCount} values can be added.`,
|
||||
itemComparer: (choice, item) => (choice === item),
|
||||
fuseOptions: {
|
||||
|
|
|
@ -421,15 +421,15 @@ export const isScrolledIntoView = (el, parent, direction = 1) => {
|
|||
};
|
||||
|
||||
/**
|
||||
* Remove html tags from a string
|
||||
* @param {String} Initial string/html
|
||||
* Escape html in the string
|
||||
* @param {String} html Initial string/html
|
||||
* @return {String} Sanitised string
|
||||
*/
|
||||
export const stripHTML = function(html) {
|
||||
const el = document.createElement('DIV');
|
||||
el.innerHTML = html;
|
||||
return el.textContent || el.innerText || '';
|
||||
};
|
||||
export const stripHTML = html =>
|
||||
html.replace(/&/g, '&')
|
||||
.replace(/>/g, '&rt;')
|
||||
.replace(/</g, '<')
|
||||
.replace(/"/g, '"');
|
||||
|
||||
/**
|
||||
* Adds animation to an element and removes it upon animation completion
|
||||
|
@ -490,7 +490,7 @@ export const getWidthOfInput = (input) => {
|
|||
let width = input.offsetWidth;
|
||||
|
||||
if (value) {
|
||||
const testEl = strToEl(`<span>${value}</span>`);
|
||||
const testEl = strToEl(`<span>${stripHTML(value)}</span>`);
|
||||
testEl.style.position = 'absolute';
|
||||
testEl.style.padding = '0';
|
||||
testEl.style.top = '-9999px';
|
||||
|
|
Loading…
Reference in a new issue