Skip to content

Commit

Permalink
Merge pull request #572 from Shoplifter/master
Browse files Browse the repository at this point in the history
patch for #564: Use textContent instead of innerHTML for setting an option's text
  • Loading branch information
brianvoe authored Oct 11, 2024
2 parents e7e37e2 + a1d1846 commit f8534f2
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/slim-select/select.ts
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,7 @@ export default class Select {
const optionEl = document.createElement('option')
optionEl.id = info.id
optionEl.value = info.value
optionEl.innerHTML = info.text
optionEl.textContent = info.text
if (info.html !== '') {
optionEl.setAttribute('data-html', info.html)
}
Expand Down
15 changes: 15 additions & 0 deletions src/slim-select/settings.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,21 @@ describe('Settings module', () => {
expect(optionElement.dataset.html).toBe(option.html)
})

test('malicious text is inserted with innerText', () => {
// decoded text: <img src=x onerror=alert(1)></img>
const str = '&#x3c;&#x69;&#x6d;&#x67;&#x20;&#x73;&#x72;&#x63;&#x3d;&#x78;&#x20;&#x6f;&#x6e;&#x65;&#x72;&#x72;&#x6f;&#x72;&#x3d;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x3e;&#x3c;&#x2f;&#x69;&#x6d;&#x67;&#x3e;'
// const str = 'opt'
const decode = (string: string|null) => {
if(string === null) return ''
const doc = new DOMParser().parseFromString(string, "text/html")
return doc.documentElement.textContent;
}
const option = new Option({ text: str })
const optionElement = select.createOption(option)
// expect(decode(optionElement.textContent)).toBe('opt')
expect(optionElement.textContent).toBe(str)
})

test('disabled sets disabled property correctly', () => {
const option = new Option({ text: 'opt', disabled: true })
const optionElement = select.createOption(option)
Expand Down

0 comments on commit f8534f2

Please sign in to comment.