bug #5971 Fix XSS in autocomplete (simoheinonen)

This PR was merged into the 4.x branch. Discussion ---------- Fix XSS in autocomplete Commits ------- 081ac97 Fix XSS in autocomplete
EasyCorp · Oct 23, 2023 · 7237fcb · 7237fcb
2 parents a134a1c + 081ac97
commit 7237fcb
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 5 deletions.
diff --git a/assets/js/autocomplete.js b/assets/js/autocomplete.js
@@ -129,7 +129,7 @@ export default class Autocomplete
                     return `<div>${item.entityAsString}</div>`;
                 },
                 item: function(item, escape) {
-                    return `<div>${item.entityAsString}</div>`;
+                    return `<div>${escape(item.entityAsString)}</div>`;
                 },
                 loading_more: function(data, escape) {
                     return `<div class="loading-more-results">${element.getAttribute('data-ea-i18n-loading-more-results')}</div>`;

diff --git a/src/Resources/public/app.c647be58.js → src/Resources/public/app.a937f82e.js b/src/Resources/public/app.c647be58.js → src/Resources/public/app.a937f82e.js
diff --git a/...ources/public/app.c647be58.js.LICENSE.txt → ...ources/public/app.a937f82e.js.LICENSE.txt b/...ources/public/app.c647be58.js.LICENSE.txt → ...ources/public/app.a937f82e.js.LICENSE.txt
diff --git a/src/Resources/public/entrypoints.json b/src/Resources/public/entrypoints.json
@@ -6,7 +6,7 @@
         "/app.1c98f4b0.rtl.css"
       ],
       "js": [
-        "/app.c647be58.js"
+        "/app.a937f82e.js"
       ]
     },
     "form": {

diff --git a/src/Resources/public/manifest.json b/src/Resources/public/manifest.json
@@ -1,7 +1,7 @@
 {
   "app.css": "app.1c98f4b0.css",
   "app.rtl.css": "app.1c98f4b0.rtl.css",
-  "app.js": "app.c647be58.js",
+  "app.js": "app.a937f82e.js",
   "form.js": "form.fc39362b.js",
   "page-layout.js": "page-layout.3347892e.js",
   "page-color-scheme.js": "page-color-scheme.a1970567.js",