Fix xss vulnerability(escape html in input)

src/scripts/src/constants.js

@@ -1,3 +1,4 @@
+import { stripHTML } from './lib/utils';
 
 export const DEFAULT_CLASSNAMES = {
   containerOuter: 'choices',
@@ -62,7 +63,7 @@ export const DEFAULT_CONFIG = {
   noChoicesText: 'No choices to choose from',
   itemSelectText: 'Press to select',
   uniqueItemText: 'Only unique values can be added.',
-  addItemText: value => `Press Enter to add <b>"${value}"</b>`,
+  addItemText: value => `Press Enter to add <b>"${stripHTML(value)}"</b>`,
   maxItemText: maxItemCount => `Only ${maxItemCount} values can be added.`,
   itemComparer: (choice, item) => (choice === item),
   fuseOptions: {

src/scripts/src/lib/utils.js

@@ -421,15 +421,15 @@ export const isScrolledIntoView = (el, parent, direction = 1) => {
 };
 
 /**
- * Remove html tags from a string
- * @param  {String}  Initial string/html
+ * Escape html in the string
+ * @param  {String} html Initial string/html
  * @return {String}  Sanitised string
  */
-export const stripHTML = function(html) {
-  const el = document.createElement('DIV');
-  el.innerHTML = html;
-  return el.textContent || el.innerText || '';
-};
+export const stripHTML = html =>
+  html.replace(/&/g, '&')
+    .replace(/>/g, '&rt;')
+    .replace(/</g, '&lt;')
+    .replace(/"/g, '&quot;');
 
 /**
  * Adds animation to an element and removes it upon animation completion
@@ -490,7 +490,7 @@ export const getWidthOfInput = (input) => {
   let width = input.offsetWidth;
 
   if (value) {
-    const testEl = strToEl(`<span>${value}</span>`);
+    const testEl = strToEl(`<span>${stripHTML(value)}</span>`);
     testEl.style.position = 'absolute';
     testEl.style.padding = '0';
     testEl.style.top = '-9999px';