scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2024-12-31 04:32:06 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix xss for titles in tags labels [SCI-8133] (#5130)

Browse source
This commit is contained in:
aignatov-bio 2023-03-13 14:39:12 +01:00 committed by GitHub
parent 92d7fbb351
commit 946ea47d55
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/assets/javascripts/sitewide/dropdown_selector.js
View file

@ -727,16 +727,17 @@ var dropdownSelector = (function() {
// Select element appearance
var tagAppearance = selector.data('config').selectAppearance === 'simple' ? 'ds-simple' : 'ds-tags';
var label = customLabel ? customLabel(data) : data.label;
var title = (data.params && data.params.tooltip) || $('<span>' + label + '</span>').text().trim();
// Add new tag before search field
var tag = $(`<div class="${tagAppearance} ${customClass}" style="${customStyle ? customStyle(data) : ''}" >
<div class="tag-label"
title="${(data.params && data.params.tooltip) || $('<span>' + label + '</span>').text().trim()}"
data-ds-tag-group="${data.group}"
data-ds-tag-id="${data.value}">
</div>
<i class="fas fa-times ${selector.data('config').singleSelect ? 'hidden' : ''}"></i>
</div>`).insertBefore(container.find('.input-field .search-field'));
tag.find('.tag-label').attr('title', title);
if (selector.data('config').labelHTML) {
tag.find('.tag-label').html(label);
} else {