From e46ae7420906c51f01c74dfaea4c15bd5466bc51 Mon Sep 17 00:00:00 2001
From: c5254061 <maksim.shakavin@sap.com>
Date: Fri, 23 Mar 2018 18:51:50 +0300
Subject: [PATCH 1/2] Fix xss vulnerability(escape html in input)

---
 src/scripts/src/constants.js |  3 ++-
 src/scripts/src/lib/utils.js | 16 ++++++++--------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/scripts/src/constants.js b/src/scripts/src/constants.js
index 5c377de..cb9535b 100644
--- a/src/scripts/src/constants.js
+++ b/src/scripts/src/constants.js
@@ -1,3 +1,4 @@
+import { stripHTML } from './lib/utils';
 
 export const DEFAULT_CLASSNAMES = {
   containerOuter: 'choices',
@@ -62,7 +63,7 @@ export const DEFAULT_CONFIG = {
   noChoicesText: 'No choices to choose from',
   itemSelectText: 'Press to select',
   uniqueItemText: 'Only unique values can be added.',
-  addItemText: value => `Press Enter to add <b>"${value}"</b>`,
+  addItemText: value => `Press Enter to add <b>"${stripHTML(value)}"</b>`,
   maxItemText: maxItemCount => `Only ${maxItemCount} values can be added.`,
   itemComparer: (choice, item) => (choice === item),
   fuseOptions: {
diff --git a/src/scripts/src/lib/utils.js b/src/scripts/src/lib/utils.js
index af1833d..754ba4c 100644
--- a/src/scripts/src/lib/utils.js
+++ b/src/scripts/src/lib/utils.js
@@ -421,15 +421,15 @@ export const isScrolledIntoView = (el, parent, direction = 1) => {
 };
 
 /**
- * Remove html tags from a string
- * @param  {String}  Initial string/html
+ * Escape html in the string
+ * @param  {String} html Initial string/html
  * @return {String}  Sanitised string
  */
-export const stripHTML = function(html) {
-  const el = document.createElement('DIV');
-  el.innerHTML = html;
-  return el.textContent || el.innerText || '';
-};
+export const stripHTML = html =>
+  html.replace(/&/g, '&amp;')
+    .replace(/>/g, '&rt;')
+    .replace(/</g, '&lt;')
+    .replace(/"/g, '&quot;');
 
 /**
  * Adds animation to an element and removes it upon animation completion
@@ -490,7 +490,7 @@ export const getWidthOfInput = (input) => {
   let width = input.offsetWidth;
 
   if (value) {
-    const testEl = strToEl(`<span>${value}</span>`);
+    const testEl = strToEl(`<span>${stripHTML(value)}</span>`);
     testEl.style.position = 'absolute';
     testEl.style.padding = '0';
     testEl.style.top = '-9999px';

From c2fccdc3985ed653f5492c250dd2001f0671ddb0 Mon Sep 17 00:00:00 2001
From: c5254061 <maksim.shakavin@sap.com>
Date: Wed, 18 Apr 2018 11:05:21 +0300
Subject: [PATCH 2/2] Fix xss vulnerability(escape html in item label)

---
 src/scripts/src/components/input.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/scripts/src/components/input.js b/src/scripts/src/components/input.js
index 4a40eb1..f8e9251 100644
--- a/src/scripts/src/components/input.js
+++ b/src/scripts/src/components/input.js
@@ -1,4 +1,4 @@
-import { getWidthOfInput } from '../lib/utils';
+import { getWidthOfInput, stripHTML } from '../lib/utils';
 
 export default class Input {
   constructor(instance, element, classNames) {
@@ -145,7 +145,7 @@ export default class Input {
   }
 
   getValue() {
-    return this.element.value;
+    return stripHTML(this.element.value);
   }
 
   setActiveDescendant(activeDescendantID) {