fix(core): use textContent instead of innerHTML

Johann-S · Feb 3, 2020 · d78897b · d78897b
1 parent 90b9311
commit d78897b
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/src/eventHandlers.js b/src/eventHandlers.js
@@ -29,7 +29,7 @@ function handleInputChange() {
     const inputValue = getSelectedFiles(this)
 
     if (inputValue.length) {
-      element.innerHTML = inputValue
+      element.textContent = inputValue
     } else {
       restoreDefaultText(this)
     }

diff --git a/src/util.js b/src/util.js
@@ -34,7 +34,8 @@ const restoreDefaultText = (input) => {
 
   if (label) {
     const element = findFirstChildNode(label)
-    element.innerHTML = defaultText
+
+    element.textContent = defaultText
   }
 }
 

diff --git a/tests/units/eventHandlers.spec.js b/tests/units/eventHandlers.spec.js
@@ -40,6 +40,24 @@ describe('eventHandlers.js', function () {
       input.dispatchEvent(new Event('change'))
     })
 
+    it('should change the label when a file is selected and escape html', function (done) {
+      bsCustomFileInput.init()
+
+      var label = document.querySelector('.custom-file-label')
+      var expectedValue = '&lt;svg onload=alert(1)&gt;'
+
+      input.addEventListener('change', function () {
+        expect(label.innerHTML).equal(expectedValue)
+        done()
+      })
+
+      Object.defineProperty(input, 'value', {
+        value: '<svg onload=alert(1)>',
+      })
+
+      input.dispatchEvent(new Event('change'))
+    })
+
     it('should remove fakepath if found', function (done) {
       bsCustomFileInput.init()