mirror of
https://github.com/Choices-js/Choices.git
synced 2024-06-18 13:45:12 +02:00
Fix xss vulnerability(escape html in input)
This commit is contained in:
parent
f23beeb63d
commit
394bde313d
|
@ -22,6 +22,7 @@ import {
|
|||
isType,
|
||||
isElement,
|
||||
strToEl,
|
||||
stripHTML,
|
||||
extend,
|
||||
getWidthOfInput,
|
||||
sortByAlpha,
|
||||
|
@ -85,7 +86,7 @@ class Choices {
|
|||
noChoicesText: 'No choices to choose from',
|
||||
itemSelectText: 'Press to select',
|
||||
addItemText: (value) => {
|
||||
return `Press Enter to add <b>"${value}"</b>`;
|
||||
return `Press Enter to add <b>"${stripHTML(value)}"</b>`;
|
||||
},
|
||||
maxItemText: (maxItemCount) => {
|
||||
return `Only ${maxItemCount} values can be added.`;
|
||||
|
|
|
@ -432,15 +432,15 @@ export const isScrolledIntoView = (el, parent, direction = 1) => {
|
|||
};
|
||||
|
||||
/**
|
||||
* Remove html tags from a string
|
||||
* @param {String} Initial string/html
|
||||
* Escape html in a string
|
||||
* @param {String} html Initial string/html
|
||||
* @return {String} Sanitised string
|
||||
*/
|
||||
export const stripHTML = function(html) {
|
||||
let el = document.createElement("DIV");
|
||||
el.innerHTML = html;
|
||||
return el.textContent || el.innerText || "";
|
||||
};
|
||||
export const stripHTML = html =>
|
||||
html.replace(/&/g, '&')
|
||||
.replace(/>/g, '&rt;')
|
||||
.replace(/</g, '<')
|
||||
.replace(/"/g, '"');
|
||||
|
||||
/**
|
||||
* Adds animation to an element and removes it upon animation completion
|
||||
|
@ -501,7 +501,7 @@ export const getWidthOfInput = (input) => {
|
|||
let width = input.offsetWidth;
|
||||
|
||||
if (value) {
|
||||
const testEl = strToEl(`<span>${ value }</span>`);
|
||||
const testEl = strToEl(`<span>${ stripHTML(value) }</span>`);
|
||||
testEl.style.position = 'absolute';
|
||||
testEl.style.padding = '0';
|
||||
testEl.style.top = '-9999px';
|
||||
|
|
Loading…
Reference in a new issue