From 8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 Mon Sep 17 00:00:00 2001 From: Michał Gołębiowski-Owczarek Date: Thu, 14 Jul 2022 20:52:02 +0200 Subject: Checkboxradio: Don't re-evaluate text labels as HTML If you generate a Checkboxradio from a checkbox/radio with a label that contains encoded HTML, e.g. `<em>test</em>` this will work fine at first. If, however a refresh is triggered on that instance (explicitly or e.g. by turning it into a `Controlgroup`), the previously escaped HTML will now be evaluated. If the label was created based on some user input, this could lead to unexpected code execution even though the initial output was escaped. Fixes gh-2101 Closes gh-2102 --- ui/widgets/checkboxradio.js | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'ui/widgets') diff --git a/ui/widgets/checkboxradio.js b/ui/widgets/checkboxradio.js index b2537d292..afa4a446d 100644 --- a/ui/widgets/checkboxradio.js +++ b/ui/widgets/checkboxradio.js @@ -50,8 +50,7 @@ $.widget( "ui.checkboxradio", [ $.ui.formResetMixin, { }, _getCreateOptions: function() { - var disabled, labels; - var that = this; + var disabled, labels, labelContents; var options = this._super() || {}; // We read the type here, because it makes more sense to throw a element type error first, @@ -71,12 +70,18 @@ $.widget( "ui.checkboxradio", [ $.ui.formResetMixin, { // We need to get the label text but this may also need to make sure it does not contain the // input itself. - this.label.contents().not( this.element[ 0 ] ).each( function() { - - // The label contents could be text, html, or a mix. We concat each element to get a - // string representation of the label, without the input as part of it. - that.originalLabel += this.nodeType === 3 ? $( this ).text() : this.outerHTML; - } ); + // The label contents could be text, html, or a mix. We wrap all elements + // and read the wrapper's `innerHTML` to get a string representation of + // the label, without the input as part of it. + labelContents = this.label.contents().not( this.element[ 0 ] ); + + if ( labelContents.length ) { + this.originalLabel += labelContents + .clone() + .wrapAll( "
" ) + .parent() + .html(); + } // Set the label option if we found label text if ( this.originalLabel ) { -- cgit v1.2.3