Skip to content

Commit

Permalink
Protect Selector Manager views from XSS. Closes #4411
Browse files Browse the repository at this point in the history
  • Loading branch information
@artf
artf committed Jun 27, 2022
1 parent dca4e97 commit 13e85d1
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 32 deletions.
7 changes: 3 additions & 4 deletions src/selector_manager/view/ClassTagView.ts
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import { View } from '../../common';
import State from '../model/State';
import html from '../../utils/html';

const inputProp = 'contentEditable';

Expand All @@ -8,12 +9,10 @@ export default class ClassTagView extends View<State> {
const { pfx, model, config } = this;
const label = model.get('label') || '';

return `
return html`
<span id="${pfx}checkbox" class="${pfx}tag-status" data-tag-status></span>
<span id="${pfx}tag-label" data-tag-name>${label}</span>
<span id="${pfx}close" class="${pfx}tag-close" data-tag-remove>
${config.iconTagRemove}
</span>
<span id="${pfx}close" class="${pfx}tag-close" data-tag-remove> $${config.iconTagRemove} </span>
`;
}

Expand Down
51 changes: 23 additions & 28 deletions src/selector_manager/view/ClassTagsView.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,36 +11,31 @@ import Selectors from '../model/Selectors';

export default class ClassTagsView extends View<Selector> {
template({ labelInfo, labelHead, iconSync, iconAdd, pfx, ppfx }: any) {
return `
<div id="${pfx}up" class="${pfx}header">
<div id="${pfx}label" class="${pfx}header-label">${labelHead}</div>
<div id="${pfx}status-c" class="${pfx}header-status">
<span id="${pfx}input-c" data-states-c>
<div class="${ppfx}field ${ppfx}select">
<span id="${ppfx}input-holder">
<select id="${pfx}states" data-states></select>
</span>
<div class="${ppfx}sel-arrow">
<div class="${ppfx}d-s-arrow"></div>
return html` <div id="${pfx}up" class="${pfx}header">
<div id="${pfx}label" class="${pfx}header-label">${labelHead}</div>
<div id="${pfx}status-c" class="${pfx}header-status">
<span id="${pfx}input-c" data-states-c>
<div class="${ppfx}field ${ppfx}select">
<span id="${ppfx}input-holder">
<select id="${pfx}states" data-states></select>
</span>
<div class="${ppfx}sel-arrow">
<div class="${ppfx}d-s-arrow"></div>
</div>
</div>
</div>
</span>
</span>
</div>
</div>
</div>
<div id="${pfx}tags-field" class="${ppfx}field">
<div id="${pfx}tags-c" data-selectors></div>
<input id="${pfx}new" data-input/>
<span id="${pfx}add-tag" class="${pfx}tags-btn ${pfx}tags-btn__add" data-add>
${iconAdd}
</span>
<span class="${pfx}tags-btn ${pfx}tags-btn__sync" style="display: none" data-sync-style>
${iconSync}
</span>
</div>
<div class="${pfx}sels-info">
<div class="${pfx}label-sel">${labelInfo}:</div>
<div class="${pfx}sels" data-selected></div>
</div>`;
<div id="${pfx}tags-field" class="${ppfx}field">
<div id="${pfx}tags-c" data-selectors></div>
<input id="${pfx}new" data-input />
<span id="${pfx}add-tag" class="${pfx}tags-btn ${pfx}tags-btn__add" data-add> $${iconAdd} </span>
<span class="${pfx}tags-btn ${pfx}tags-btn__sync" style="display: none" data-sync-style> $${iconSync} </span>
</div>
<div class="${pfx}sels-info">
<div class="${pfx}label-sel">${labelInfo}:</div>
<div class="${pfx}sels" data-selected></div>
</div>`;
}

events() {
Expand Down

0 comments on commit 13e85d1

Please sign in to comment.