Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes a few places where data was not being escaped in the API, and also handles what appears to be a bug in Select2 (that was first reported in 2016, but has not been addressed).
Because we use rich menus (images, etc) in our dropdowns, we use the HTML template feature of Select2. While the data we send to Select2 was properly escaped, a bug in Select2 takes that escaped data and parses the HTML in the DOM when the "selected" method fires.
This vulnerability in Select2 is likely reproducible in any implementation of Select2 where the application is using remote data loading via ajax and also using HTML templates to display the listbox data. We've mitigated it in our specific implementation, and have reached out to Select2 to see if there's been any progress on patching the Select2 library itself.