mirror of
https://github.com/Choices-js/Choices.git
synced 2024-06-29 10:50:03 +02:00
Fix xss vulnerability(escape html in input)
This commit is contained in:
parent
f23beeb63d
commit
394bde313d
|
@ -22,6 +22,7 @@ import {
|
||||||
isType,
|
isType,
|
||||||
isElement,
|
isElement,
|
||||||
strToEl,
|
strToEl,
|
||||||
|
stripHTML,
|
||||||
extend,
|
extend,
|
||||||
getWidthOfInput,
|
getWidthOfInput,
|
||||||
sortByAlpha,
|
sortByAlpha,
|
||||||
|
@ -85,7 +86,7 @@ class Choices {
|
||||||
noChoicesText: 'No choices to choose from',
|
noChoicesText: 'No choices to choose from',
|
||||||
itemSelectText: 'Press to select',
|
itemSelectText: 'Press to select',
|
||||||
addItemText: (value) => {
|
addItemText: (value) => {
|
||||||
return `Press Enter to add <b>"${value}"</b>`;
|
return `Press Enter to add <b>"${stripHTML(value)}"</b>`;
|
||||||
},
|
},
|
||||||
maxItemText: (maxItemCount) => {
|
maxItemText: (maxItemCount) => {
|
||||||
return `Only ${maxItemCount} values can be added.`;
|
return `Only ${maxItemCount} values can be added.`;
|
||||||
|
|
|
@ -432,15 +432,15 @@ export const isScrolledIntoView = (el, parent, direction = 1) => {
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Remove html tags from a string
|
* Escape html in a string
|
||||||
* @param {String} Initial string/html
|
* @param {String} html Initial string/html
|
||||||
* @return {String} Sanitised string
|
* @return {String} Sanitised string
|
||||||
*/
|
*/
|
||||||
export const stripHTML = function(html) {
|
export const stripHTML = html =>
|
||||||
let el = document.createElement("DIV");
|
html.replace(/&/g, '&')
|
||||||
el.innerHTML = html;
|
.replace(/>/g, '&rt;')
|
||||||
return el.textContent || el.innerText || "";
|
.replace(/</g, '<')
|
||||||
};
|
.replace(/"/g, '"');
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Adds animation to an element and removes it upon animation completion
|
* Adds animation to an element and removes it upon animation completion
|
||||||
|
@ -501,7 +501,7 @@ export const getWidthOfInput = (input) => {
|
||||||
let width = input.offsetWidth;
|
let width = input.offsetWidth;
|
||||||
|
|
||||||
if (value) {
|
if (value) {
|
||||||
const testEl = strToEl(`<span>${ value }</span>`);
|
const testEl = strToEl(`<span>${ stripHTML(value) }</span>`);
|
||||||
testEl.style.position = 'absolute';
|
testEl.style.position = 'absolute';
|
||||||
testEl.style.padding = '0';
|
testEl.style.padding = '0';
|
||||||
testEl.style.top = '-9999px';
|
testEl.style.top = '-9999px';
|
||||||
|
|
Loading…
Reference in a new issue