Skip to content

Commit

Permalink
fix(dropdown): possible XSS through select option text
Browse files Browse the repository at this point in the history 
This PR fixes a possible XSS through an entity encoded select option text when converted into a FUI dropdown.
Even if preserveHTML: false would prevent this, a select tag cannot contain html at all and if it contains entity encoded HTML instead, it should not be reconverted into html.

The PR also fixes recreating the dropdown menu twice when no values are selected in a multiple dropdown

Thanks to @brian-codes for reporting
  • Loading branch information
@lubber-de
lubber-de authored Feb 19, 2023
1 parent 17aa72d commit be4492b
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions src/definitions/modules/dropdown.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2076,7 +2076,7 @@
values.push({
name: name,
value: value,
text: text,
text: module.escape.htmlEntities(text, true),
disabled: disabled,
});
}
Expand Down Expand Up @@ -3459,7 +3459,7 @@
selectChanged = false
;
$.each(mutations, function (index, mutation) {
if ($(mutation.target).is('select, option, optgroup') || $(mutation.addedNodes).is('select')) {
if ($(mutation.target).is('option, optgroup') || $(mutation.addedNodes).is('select') || ($(mutation.target).is('select') && mutation.type !== 'attributes')) {
selectChanged = true;

return false;
Expand Down Expand Up @@ -3768,7 +3768,7 @@

return text.replace(regExp.escape, '\\$&');
},
htmlEntities: function (string) {
htmlEntities: function (string, forceAmpersand) {
var
badChars = /["'<>`]/g,
shouldEscape = /["&'<>`]/,
Expand All @@ -3784,7 +3784,7 @@
}
;
if (shouldEscape.test(string)) {
string = string.replace(/&(?![\d#a-z]{1,12};)/gi, '&amp;');
string = string.replace(forceAmpersand ? /&/g : /&(?![\d#a-z]{1,12};)/gi, '&amp;');

return string.replace(badChars, escapedChar);
}
Expand Down

0 comments on commit be4492b

Please sign in to comment.