[CDE-837] - FilterComponent - html injection

core-js/src/main/javascript/cdf/components/filter/HtmlUtils.js

@@ -0,0 +1,11 @@
+define(function(){
+  return {
+    sanitizeHtml: function(html){
+	  html = html.replace(/<script\b[^>]*>/gi, "&lt;script&gt;").replace(/<\/script>/gi, "&lt;/script&gt;");
+	  html = html.replace(/<iframe\b[^>]*>/gi, "&lt;iframe&gt;").replace(/<\/iframe>/gi, "&lt;/iframe&gt;");
+	  html = html.replace(/<html\b[^>]*>/gi, "&lt;html&gt;").replace(/<\/html>/gi, "&lt;/html&gt;");
+	  html = html.replace(/<body\b[^>]*>/gi, "&lt;body&gt;").replace(/<\/body>/gi, "&lt;/body&gt;");
+      return html;
+    }
+  }
+});

core-js/src/main/javascript/cdf/components/filter/data-handlers/InputDataHandler.js

@@ -15,13 +15,13 @@ define([
   '../../../lib/jquery',
   'amd!../../../lib/underscore',
   '../baseevents/baseeventsModel',
-  '../../../Logger'
-], function($, _, BaseModel, Logger) {
+  '../../../Logger',
+  '../HtmlUtils'
+], function($, _, BaseModel, Logger, HtmlUtils) {
 
   var sanitizeInput = function(input) {
     return _.isString(input) ?
-      input.replace(/<script>/g, "&lt;script&gt;")
-        .replace(/<\/script>/g, "&lt;/script&gt;") :
+      HtmlUtils.sanitizeHtml(input) :
       input;
   };
   var getPageData = function(queryInfo, pageSize) {

core-js/src/main/javascript/cdf/components/filter/views/Abstract.js

@@ -18,8 +18,9 @@ define([
   '../../../Logger',
   '../models/SelectionTree',
   '../../../lib/jquery',
-  './scrollbar/ScrollBarFactory'
-], function (_, Mustache, BaseView, Logger, SelectionTree, $, ScrollBarFactory) {
+  './scrollbar/ScrollBarFactory',
+  '../HtmlUtils'
+], function (_, Mustache, BaseView, Logger, SelectionTree, $, ScrollBarFactory, HtmlUtils) {
 
   /**
    * @class cdf.components.filter.views.Abstract
@@ -77,6 +78,7 @@ define([
       return _.bind(function (viewModel) {
         if (this.template[slot]) {
           var html = Mustache.render(this.template[slot], viewModel);
+		  html = HtmlUtils.sanitizeHtml(html);
           this.$(this.config.view.slots[slot]).replaceWith(html);
         }
         this.injectContent(slot);
@@ -126,7 +128,9 @@ define([
       return this;
     },
     renderSkeleton: function (viewModel) {
-      this.$el.html(Mustache.render(this.template.skeleton, viewModel));
+	  var rHtml = Mustache.render(this.template.skeleton, viewModel);
+	  rHtml = HtmlUtils.sanitizeHtml(rHtml);
+      this.$el.html(rHtml);
       return this;
     },
     updateSelection: function (model, options) {
@@ -137,8 +141,9 @@ define([
       return this;
     },
     renderSelection: function (viewModel) {
-      var html = Mustache.render(this.template.selection, viewModel);
-      this.$(this.config.view.slots.selection).replaceWith(html);
+      var rHtml = Mustache.render(this.template.selection, viewModel);
+	  rHtml = HtmlUtils.sanitizeHtml(rHtml);
+      this.$(this.config.view.slots.selection).replaceWith(rHtml);
       this.injectContent('selection');
       return this;
     },