From 44823da2686aacf897021d69c588999da429e8f3 Mon Sep 17 00:00:00 2001
From: aignatov-bio <47317017+aignatov-bio@users.noreply.github.com>
Date: Wed, 15 Mar 2023 12:55:28 +0100
Subject: [PATCH] Fix escaping for dropdown options and keywords escaping
 [SCI-8137] (#5145)

---
 .../javascripts/sitewide/dropdown_selector.js | 24 ++++++++++++-------
 app/controllers/protocols_controller.rb       |  6 -----
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/app/assets/javascripts/sitewide/dropdown_selector.js b/app/assets/javascripts/sitewide/dropdown_selector.js
index c4d9519fa..71e9a23f9 100644
--- a/app/assets/javascripts/sitewide/dropdown_selector.js
+++ b/app/assets/javascripts/sitewide/dropdown_selector.js
@@ -541,16 +541,22 @@ var dropdownSelector = (function() {
       var customLabel = selector2.data('config').optionLabel;
       var customClass = params.optionClass || selector2.data('config').optionClass || '';
       var customStyle = selector2.data('config').optionStyle;
-      return $(`
-        <div class="dropdown-option ${customClass}" style="${customStyle ? customStyle(option) : ''}"
-          title="${(option.params && option.params.tooltip) || ''}"
-          data-params='${JSON.stringify(option.params || {})}'
-          data-label="${option.label}"
-          data-group="${group ? group.value : ''}"
-          data-value="${option.value}">
-            ${customLabel ? customLabel(option) : option.label}
-        </div>"
+      var optionElement = $(`
+        <div class="dropdown-option ${customClass}" style="${customStyle ? customStyle(option) : ''}">
+        </div>
       `);
+      optionElement
+        .attr('title', (option.params && option.params.tooltip) || '')
+        .attr('data-params', JSON.stringify(option.params || {}))
+        .attr('data-label', option.label)
+        .attr('data-group', group ? group.value : '')
+        .attr('data-value', option.value);
+      if (customLabel) {
+        optionElement.html(customLabel(option));
+      } else {
+        optionElement.html(option.label);
+      }
+      return optionElement;
     }
 
     // Draw delimiter object
diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb
index 4cef8c8d8..a821e70aa 100644
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@@ -172,12 +172,6 @@ class ProtocolsController < ApplicationController
 
   def update_keywords
     respond_to do |format|
-      # sanitize user input
-      if params[:keywords]
-        params[:keywords].collect! do |keyword|
-          escape_input(keyword)
-        end
-      end
       if @protocol.update_keywords(params[:keywords])
         format.json do
           log_activity(:edit_keywords_in_protocol_repository, nil, protocol: @protocol.id)