Fix xss vulnerability(escape html in input)

assets/scripts/src/choices.js

@@ -22,6 +22,7 @@ import {
   isType,
   isElement,
   strToEl,
+  stripHTML,
   extend,
   getWidthOfInput,
   sortByAlpha,
@@ -85,7 +86,7 @@ class Choices {
       noChoicesText: 'No choices to choose from',
       itemSelectText: 'Press to select',
       addItemText: (value) => {
-        return `Press Enter to add <b>"${value}"</b>`;
+        return `Press Enter to add <b>"${stripHTML(value)}"</b>`;
       },
       maxItemText: (maxItemCount) => {
         return `Only ${maxItemCount} values can be added.`;

assets/scripts/src/lib/utils.js

@@ -432,15 +432,15 @@ export const isScrolledIntoView = (el, parent, direction = 1) => {
 };
 
 /**
- * Remove html tags from a string
- * @param  {String}  Initial string/html
+ * Escape html in a string
+ * @param  {String} html  Initial string/html
  * @return {String}  Sanitised string
  */
-export const stripHTML = function(html) {
-  let el = document.createElement("DIV");
-  el.innerHTML = html;
-  return el.textContent || el.innerText || "";
-};
+export const stripHTML = html =>
+   html.replace(/&/g, '&')
+     .replace(/>/g, '&rt;')
+     .replace(/</g, '&lt;')
+     .replace(/"/g, '&quot;');
 
 /**
  * Adds animation to an element and removes it upon animation completion
@@ -501,7 +501,7 @@ export const getWidthOfInput = (input) => {
   let width = input.offsetWidth;
 
   if (value) {
-    const testEl = strToEl(`<span>${ value }</span>`);
+    const testEl = strToEl(`<span>${ stripHTML(value) }</span>`);
     testEl.style.position = 'absolute';
     testEl.style.padding = '0';
     testEl.style.top = '-9999px';