Escape special chars for FE and BE

app/assets/javascripts/repositories/renderers/columns/checklist.js

@@ -4,19 +4,21 @@
 var ChecklistColumnHelper = (function() {
   function checklistSelect(select, url, values) {
     var selectedOptions = '';
+    var selectObject = $(`<select id="${select}"
+                                  data-placeholder = "${I18n.t('repositories.table.checklist.set_checklist')}"
+                                  data-ajax-url = "${url}"
+                                  data-combine-tags="true"
+                                  data-select-multiple-all-selected="${I18n.t('libraries.manange_modal_column.checklist_type.all_options')}"
+                                  data-select-multiple-name="${I18n.t('libraries.manange_modal_column.checklist_type.multiple_options')}">${selectedOptions}</select>`);
     if (values) {
       $.each(values, function(i, option) {
-        selectedOptions += `<option value="${option.value}">${option.label}</option>`;
+        var item = $(`<option value="${option.value}"></option>`);
+        item.text(option.label);
+        item.appendTo(selectObject);
       });
     }
-    return $(`<select 
+
-              id="${select}"
+    return selectObject;
-              data-placeholder = "${I18n.t('repositories.table.checklist.set_checklist')}"
-              data-ajax-url = "${url}"
-              data-combine-tags="true"
-              data-select-multiple-all-selected="${I18n.t('libraries.manange_modal_column.checklist_type.all_options')}"
-              data-select-multiple-name="${I18n.t('libraries.manange_modal_column.checklist_type.multiple_options')}"
-            >${selectedOptions}</select>`);
   }
 
   function checklistHiddenField(formId, columnId, values) {

app/assets/javascripts/repositories/renderers/columns/list.js

@@ -4,14 +4,16 @@
 var ListColumnHelper = (function() {
   function listSelect(select, url, value) {
     var selectedOption = '';
+    var selectObject = $(`<select id="${select}" 
+                                  data-placeholder = "${I18n.t('repositories.table.list.select_item')}"
+                                  data-ajax-url = "${url}" >${selectedOption}</select>`);
+
     if (value && value.value) {
-      selectedOption = `<option value="${value.value}">${value.label}</option>`;
+      selectedOption = $(`<option value="${value.value}"></option>`);
+      selectedOption.text(value.label);
+      selectedOption.appendTo(selectObject);
     }
-    return $(`<select
+    return selectObject;
-              id="${select}"
-              data-placeholder = "${I18n.t('repositories.table.list.select_item')}"
-              data-ajax-url = "${url}"
-            >${selectedOption}</select>`);
   }
 
   function listHiddenField(formId, columnId, value) {

app/assets/javascripts/repositories/renderers/columns/status.js

@@ -4,15 +4,16 @@
 var StatusColumnHelper = (function() {
   function statusSelect(select, url, value) {
     var selectedOption = '';
-    if (value && value.value) {
+    var selectObject = $(`<select id="${select}" 
-      selectedOption = `<option value="${value.value}">${value.label}</option>`;
+                                  data-placeholder = "${I18n.t('repositories.table.status.set_status')}"
-    }
+                                  data-ajax-url = "${url}" ></select>`);
 
-    return $(`<select
+    if (value && value.value) {
-              id="${select}"
+      selectedOption = $(`<option value="${value.value}"></option>`);
-              data-placeholder = "${I18n.t('repositories.table.status.set_status')}"
+      selectedOption.text(value.label);
-              data-ajax-url = "${url}"
+      selectedOption.appendTo(selectObject);
-            >${selectedOption}</select>`);
+    }
+    return selectObject;
   }
 
   function statusHiddenField(formId, columnId, value) {
@@ -46,7 +47,9 @@ var StatusColumnHelper = (function() {
       },
       tagClass: 'emoji-status',
       tagLabel: (data) => {
-        return twemoji.parse(data.label);
+        var render = $('<div>').html(twemoji.parse(data.label));
+        render.find(':not(img)').remove();
+        return render.html();
       }
     });
   }

app/assets/javascripts/sitewide/dropdown_selector.js

@@ -637,8 +637,6 @@ var dropdownSelector = (function() {
                   <i class="fas fa-times ${selector.data('config').singleSelect ? 'hidden' : ''}"></i>
                 </div>`).insertBefore(container.find('.input-field .search-field'));
 
-      console.log(selector.data('config').labelHTML);
-
       if (selector.data('config').labelHTML) {
         tag.find('.tag-label').html(label);
       } else {

app/serializers/repository_datatable/repository_checklist_value_serializer.rb

@@ -2,8 +2,9 @@
 
 module RepositoryDatatable
   class RepositoryChecklistValueSerializer < RepositoryBaseValueSerializer
+    include InputSanitizeHelper
     def value
-      object.data
+      object.data.each { |i| i[:label] = escape_input(i[:label]) }
     end
   end
 end

app/serializers/repository_datatable/repository_list_value_serializer.rb

@@ -2,10 +2,11 @@
 
 module RepositoryDatatable
   class RepositoryListValueSerializer < RepositoryBaseValueSerializer
+    include InputSanitizeHelper
     def value
       {
         id: (object.repository_list_item&.id || ''),
-        text: (object.data || '')
+        text: (escape_input(object.data) || '')
       }
     end
   end

app/serializers/repository_datatable/repository_status_value_serializer.rb

@@ -2,11 +2,12 @@
 
 module RepositoryDatatable
   class RepositoryStatusValueSerializer < RepositoryBaseValueSerializer
+    include InputSanitizeHelper
     def value
       {
         id: object.repository_status_item.id,
         icon: object.repository_status_item.icon,
-        status: object.repository_status_item.status
+        status: escape_input(object.repository_status_item.status)
       }
     end
   end