Add blank state for repository template columns, fix XSS [SCI-11893]

app/javascript/vue/repositories/modals/new.vue

@@ -39,13 +39,16 @@
                   <div class="flex gap-4 overflow-hidden items-centers">
                     <div class="truncate font-bold">{{  hoveredRow.name }}</div>
                   </div>
-                  <template v-if="hoveredRow.columns">
+                  <template v-if="hoveredRow.columns?.length !== 0">
                     <div class="flex items-center gap-0.5 overflow-hidden text-xs" v-for="column in hoveredRow.columns">
                       <span class="truncate shrink-c">{{ column[0] }}</span>
                       <span>-</span>
                       <span class="truncate shrink-0">{{ column[1] }}</span>
                     </div>
                   </template>
+                  <template v-else>
+                    {{ i18n.t('repositories.index.modal_create.only_system_defined_columns') }}
+                  </template>
                 </template>
               </div>
             </div>
@@ -65,6 +68,7 @@
 <script>
 /* global HelperModule GLOBAL_CONSTANTS */
 
+import escapeHtml from '../../shared/escape_html.js';
 import axios from '../../../packs/custom_axios.js';
 import modalMixin from '../../shared/modal_mixin';
 import SelectDropdown from '../../shared/select_dropdown.vue';
@@ -138,7 +142,7 @@ export default {
       return `
         <div class="flex items-center gap-4 w-full">
           <div class="grow overflow-hidden">
-            <div class="truncate" >${row[1]}</div>
+            <div class="truncate" >${escapeHtml(row[1])}</div>
           </div>
           <i class="sn-icon sn-icon-info show-items-columns" title="" data-item-id="${row[0]}"></i>
         </div>`;

app/javascript/vue/shared/escape_html.js

@@ -0,0 +1,6 @@
+export default (unsafe) => unsafe
+  .replaceAll('&', '&')
+  .replaceAll('<', '&lt;')
+  .replaceAll('>', '&gt;')
+  .replaceAll('"', '&quot;')
+  .replaceAll("'", '&#039;');

app/javascript/vue/shared/repository_row_selector.vue

@@ -49,6 +49,7 @@
 </template>
 
 <script>
+import escapeHtml from '../shared/escape_html.js';
 import SelectDropdown from './select_dropdown.vue';
 import axios from '../../packs/custom_axios.js';
 import {
@@ -144,7 +145,7 @@ export default {
       return `
         <div class="flex items-center gap-4 w-full">
           <div class="grow overflow-hidden">
-            <div class="truncate" >${row[1]}</div>
+            <div class="truncate" >${escapeHtml(row[1])}</div>
             <div class="text-sn-grey">IT${row[0]}</div>
           </div>
           <i class="sn-icon sn-icon-info show-items-columns" title="" data-item-id="${row[0]}" data-repository-id='${this.selectedRepository}'></i>

config/locales/en.yml

@@ -2250,6 +2250,7 @@ en:
         submit: "Create"
         success_flash_html: "Inventory <strong>%{name}</strong> successfully created."
         repository_template_label: "Select inventory template"
+        only_system_defined_columns: 'Only system defined columns.'
       modal_confirm_sharing:
         title: "Inventory sharing changes"
         description_1: "You will no longer share this inventory with some of the teams. All unshared inventory items assigned to tasks will be automatically removed and this action is irreversible. Any item relationship links (if they exist) will also be deleted."