library-mirrors/jquery-ui
1
0
Fork 0
mirror of https://github.com/jquery/jquery-ui.git synced 2024-11-21 11:04:24 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Checkboxradio: Don't re-evaluate text labels as HTML

Browse Source 
If you generate a Checkboxradio from a checkbox/radio with a label that
contains encoded HTML, e.g. `<em>test</em>` this will work fine
at first. If, however a refresh is triggered on that instance (explicitly or
e.g. by turning it into a `Controlgroup`), the previously escaped HTML will
now be evaluated.

If the label was created based on some user input, this could lead to
unexpected code execution even though the initial output was escaped.

Fixes gh-2101
Closes gh-2102
This commit is contained in:
Michał Gołębiowski-Owczarek 2022-07-14 20:52:02 +02:00 committed by GitHub
parent b53e7beb68
commit 8cc5bae1ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 99 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
tests/unit/checkboxradio/checkboxradio.html
View File

@ -64,6 +64,18 @@
<label> <label>
<input type="checkbox" id="label-with-no-for"/> <input type="checkbox" id="label-with-no-for"/>
</label> </label>
<label>
<input type="checkbox" id="label-with-no-for-with-html"/>
<strong>Hi</strong>, <em>I'm a label</em>
</label>
<label>
<input type="checkbox" id="label-with-no-for-with-text"/>
Hi, I'm a label
</label>
<label>
<input type="checkbox" id="label-with-no-for-with-html-like-text"/>
&lt;em&gt;Hi, I'm a label&lt;/em&gt;
</label>
<form id="form3"></form> <form id="form3"></form>
<input type="radio" name="crazy-form" id="crazy-form-1" form="form3" checked="checked"> <input type="radio" name="crazy-form" id="crazy-form-1" form="form3" checked="checked">

37
tests/unit/checkboxradio/core.js
View File

@ -131,4 +131,41 @@ QUnit.test( "Calling checkboxradio on an input with no label throws an error", f
); );
} ); } );
QUnit.test( "Inheriting label from initial HTML", function( assert ) {
var tests = [
{
id: "label-with-no-for-with-html",
expectedLabel: "<strong>Hi</strong>, <em>I'm a label</em>"
},
{
id: "label-with-no-for-with-text",
expectedLabel: "Hi, I'm a label"
},
{
id: "label-with-no-for-with-html-like-text",
expectedLabel: "&lt;em&gt;Hi, I'm a label&lt;/em&gt;"
}
];
assert.expect( tests.length );
tests.forEach( function( testData ) {
var id = testData.id;
var expectedLabel = testData.expectedLabel;
var inputElem = $( "#" + id );
var labelElem = inputElem.parent();
inputElem.checkboxradio( { icon: false } );
var labelWithoutInput = labelElem.clone();
labelWithoutInput.find( "input" ).remove();
assert.strictEqual(
labelWithoutInput.html().trim(),
expectedLabel.trim(),
"Label correct [" + id + "]"
);
} );
} );
} ); } );

38
tests/unit/checkboxradio/methods.js
View File

@ -96,4 +96,42 @@ QUnit.test( "Input wrapped in a label preserved on refresh", function( assert )
assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" ); assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" );
} ); } );
QUnit.test( "Initial text label not turned to HTML on refresh", function( assert ) {
var tests = [
{
id: "label-with-no-for-with-html",
expectedLabel: "<strong>Hi</strong>, <em>I'm a label</em>"
},
{
id: "label-with-no-for-with-text",
expectedLabel: "Hi, I'm a label"
},
{
id: "label-with-no-for-with-html-like-text",
expectedLabel: "&lt;em&gt;Hi, I'm a label&lt;/em&gt;"
}
];
assert.expect( tests.length );
tests.forEach( function( testData ) {
var id = testData.id;
var expectedLabel = testData.expectedLabel;
var inputElem = $( "#" + id );
var labelElem = inputElem.parent();
inputElem.checkboxradio( { icon: false } );
inputElem.checkboxradio( "refresh" );
var labelWithoutInput = labelElem.clone();
labelWithoutInput.find( "input" ).remove();
assert.strictEqual(
labelWithoutInput.html().trim(),
expectedLabel.trim(),
"Label correct [" + id + "]"
);
} );
} );
} ); } );

19
ui/widgets/checkboxradio.js
View File

@ -50,8 +50,7 @@ $.widget( "ui.checkboxradio", [ $.ui.formResetMixin, {
}, },
_getCreateOptions: function() { _getCreateOptions: function() {
var disabled, labels; var disabled, labels, labelContents;
var that = this;
var options = this._super() || {}; var options = this._super() || {};
// We read the type here, because it makes more sense to throw a element type error first, // We read the type here, because it makes more sense to throw a element type error first,
@ -71,12 +70,18 @@ $.widget( "ui.checkboxradio", [ $.ui.formResetMixin, {
// We need to get the label text but this may also need to make sure it does not contain the // We need to get the label text but this may also need to make sure it does not contain the
// input itself. // input itself.
this.label.contents().not( this.element[ 0 ] ).each( function() { // The label contents could be text, html, or a mix. We wrap all elements
// and read the wrapper's `innerHTML` to get a string representation of
// the label, without the input as part of it.
labelContents = this.label.contents().not( this.element[ 0 ] );
// The label contents could be text, html, or a mix. We concat each element to get a if ( labelContents.length ) {
// string representation of the label, without the input as part of it. this.originalLabel += labelContents
that.originalLabel += this.nodeType === 3 ? $( this ).text() : this.outerHTML; .clone()
} ); .wrapAll( "<div></div>" )
.parent()
.html();
}
// Set the label option if we found label text // Set the label option if we found label text
if ( this.originalLabel ) { if ( this.originalLabel ) {