Make HTML in node titles optional

[Blinnikov]

Please consider using of innerText for <span> tag when constructing node's title to prevent HTML injection. For now if I have title of my node looking something like this: <hi>
then I will not see this title in the browser. It will be interpreted as html-tag.

The possible solution is to change line 2804

nodeTitle = "<span " + role + " class='fancytree-title'" + id + tooltip + tabindex + ">" + node.title + "</span>";

to something like this:

var span = document.createElement('span');
span.className = 'fancytree-title';
if (aria) {
    span.setAttribute('role', 'treeitem');
    span.setAttribute('id', 'ftal_' + node.key);
}
if (node.tooltip) {
    span.setAttribute('title', node.tooltip.replace(/\"/g, """));
}
span.innerText = node.title;
nodeTitle = span.outerHTML;

[mar10]

I would consider html markup inside a node title a feature, not a bug ;-)
What are your concerns?

(Is there some text missing in your message?):

For now if I have title of my node looking something like this:
then I will

[Blinnikov]

Corrected the message. I forgot to escape html.

If you allow node's title to contain html markup it is direct way to html injection. It is possible to set title as <script>alert('Hi');</script> and you will see alert message in your browser. I think this ability should be prohibited. The other possible solution I see - to have the option to allow setting title as innerText or innerHtml of the span element.

[mar10]

Would a new method node.setTitleSafe() help, or are you concerned about an untrusted Ajax source? Then an option {allowHtmlTitles: true} could be a solution.

What scenario are you thinking about, and can you give some references what danger you see?
I still think it's an important feature to allow HTML markup in the titles, and I am not planning to disallow this altogether.

[Blinnikov]

I agree that having ability to set HTML in the node is good. But when it used properly.
I think {allowHtmlTitles: true} option would be great.

In our current project we allow end users to create items that lately will be shown in the tree structure. In this case if user creates item with closing tag in title (like </li> or </ul>) then layout will be broken. In other case user can insert malicious js-code into title. This code can redirect me to some other page that looks like mine, moreover it can chage tree structure, add fake nodes or remove existing ones. Maybe a lot of examples.

[markbernard]

You are getting the user input so sanitize it before applying it.

[mar10]

I would agree with @markbernard: The programmer is responsible to escape the HTML, before setting it as title. Closing this for now.