From be4492b7b6acb853ae2d795a2add89d1b1102f66 Mon Sep 17 00:00:00 2001 From: Marco 'Lubber' Wienkoop Date: Sun, 19 Feb 2023 20:16:10 +0100 Subject: [PATCH] fix(dropdown): possible XSS through select option text This PR fixes a possible XSS through an entity encoded select option text when converted into a FUI dropdown. Even if preserveHTML: false would prevent this, a select tag cannot contain html at all and if it contains entity encoded HTML instead, it should not be reconverted into html. The PR also fixes recreating the dropdown menu twice when no values are selected in a multiple dropdown Thanks to @brian-codes for reporting --- src/definitions/modules/dropdown.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/definitions/modules/dropdown.js b/src/definitions/modules/dropdown.js index e7b0d76387..8fcf299915 100644 --- a/src/definitions/modules/dropdown.js +++ b/src/definitions/modules/dropdown.js @@ -2076,7 +2076,7 @@ values.push({ name: name, value: value, - text: text, + text: module.escape.htmlEntities(text, true), disabled: disabled, }); } @@ -3459,7 +3459,7 @@ selectChanged = false ; $.each(mutations, function (index, mutation) { - if ($(mutation.target).is('select, option, optgroup') || $(mutation.addedNodes).is('select')) { + if ($(mutation.target).is('option, optgroup') || $(mutation.addedNodes).is('select') || ($(mutation.target).is('select') && mutation.type !== 'attributes')) { selectChanged = true; return false; @@ -3768,7 +3768,7 @@ return text.replace(regExp.escape, '\\$&'); }, - htmlEntities: function (string) { + htmlEntities: function (string, forceAmpersand) { var badChars = /["'<>`]/g, shouldEscape = /["&'<>`]/, @@ -3784,7 +3784,7 @@ } ; if (shouldEscape.test(string)) { - string = string.replace(/&(?![\d#a-z]{1,12};)/gi, '&'); + string = string.replace(forceAmpersand ? /&/g : /&(?![\d#a-z]{1,12};)/gi, '&'); return string.replace(badChars, escapedChar); }