From d78897b8ef6afdd983e7629e168cba948adeed69 Mon Sep 17 00:00:00 2001 From: Johann-S Date: Mon, 3 Feb 2020 09:47:27 +0100 Subject: [PATCH] fix(core): use textContent instead of innerHTML --- src/eventHandlers.js | 2 +- src/util.js | 3 ++- tests/units/eventHandlers.spec.js | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/eventHandlers.js b/src/eventHandlers.js index a6f16d3..35e8a08 100644 --- a/src/eventHandlers.js +++ b/src/eventHandlers.js @@ -29,7 +29,7 @@ function handleInputChange() { const inputValue = getSelectedFiles(this) if (inputValue.length) { - element.innerHTML = inputValue + element.textContent = inputValue } else { restoreDefaultText(this) } diff --git a/src/util.js b/src/util.js index c08d940..0df753c 100644 --- a/src/util.js +++ b/src/util.js @@ -34,7 +34,8 @@ const restoreDefaultText = (input) => { if (label) { const element = findFirstChildNode(label) - element.innerHTML = defaultText + + element.textContent = defaultText } } diff --git a/tests/units/eventHandlers.spec.js b/tests/units/eventHandlers.spec.js index d3272dc..afde722 100644 --- a/tests/units/eventHandlers.spec.js +++ b/tests/units/eventHandlers.spec.js @@ -40,6 +40,24 @@ describe('eventHandlers.js', function () { input.dispatchEvent(new Event('change')) }) + it('should change the label when a file is selected and escape html', function (done) { + bsCustomFileInput.init() + + var label = document.querySelector('.custom-file-label') + var expectedValue = '<svg onload=alert(1)>' + + input.addEventListener('change', function () { + expect(label.innerHTML).equal(expectedValue) + done() + }) + + Object.defineProperty(input, 'value', { + value: '', + }) + + input.dispatchEvent(new Event('change')) + }) + it('should remove fakepath if found', function (done) { bsCustomFileInput.init()