From 946ea47d55c6b2c1ddb8455af8728a4e97517889 Mon Sep 17 00:00:00 2001
From: aignatov-bio <47317017+aignatov-bio@users.noreply.github.com>
Date: Mon, 13 Mar 2023 14:39:12 +0100
Subject: [PATCH] Fix xss for titles in tags labels [SCI-8133] (#5130)

---
 app/assets/javascripts/sitewide/dropdown_selector.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/sitewide/dropdown_selector.js b/app/assets/javascripts/sitewide/dropdown_selector.js
index ba7eefb6f..c4d9519fa 100644
--- a/app/assets/javascripts/sitewide/dropdown_selector.js
+++ b/app/assets/javascripts/sitewide/dropdown_selector.js
@@ -727,16 +727,17 @@ var dropdownSelector = (function() {
       // Select element appearance
       var tagAppearance = selector.data('config').selectAppearance === 'simple' ? 'ds-simple' : 'ds-tags';
       var label = customLabel ? customLabel(data) : data.label;
+      var title = (data.params && data.params.tooltip) || $('<span>' + label + '</span>').text().trim();
       // Add new tag before search field
       var tag = $(`<div class="${tagAppearance} ${customClass}" style="${customStyle ? customStyle(data) : ''}" >
                   <div class="tag-label"
-                    title="${(data.params && data.params.tooltip) || $('<span>' + label + '</span>').text().trim()}"
                     data-ds-tag-group="${data.group}"
                     data-ds-tag-id="${data.value}">
                   </div>
                   <i class="fas fa-times ${selector.data('config').singleSelect ? 'hidden' : ''}"></i>
                 </div>`).insertBefore(container.find('.input-field .search-field'));
 
+      tag.find('.tag-label').attr('title', title);
       if (selector.data('config').labelHTML) {
         tag.find('.tag-label').html(label);
       } else {