N°1737 Fix tags sanitization in search criteria

2026-04-23 10:38:45 +02:00 · 2018-11-27 17:43:21 +01:00
parent 122c3a9542
commit 19d4de482d
4 changed files with 31 additions and 27 deletions
--- a/js/search/search_form_criteria.js
+++ b/js/search/search_form_criteria.js
@@ -760,7 +760,8 @@ $(function()
 			var aValues = [];
 			for(var iValueIdx in aRawValues)
 			{
-				aValues.push(aRawValues[iValueIdx].label);
+				var sEscapedLabel = $('<div />').text(aRawValues[iValueIdx].label).html();
+				aValues.push(sEscapedLabel);
 			}

 			return aValues.join(', ');
--- a/js/search/search_form_criteria_enum.js
+++ b/js/search/search_form_criteria_enum.js
@@ -829,10 +829,11 @@ $(function()
 		// - Make a jQuery element for a list item
 		_makeListItemElement: function(sLabel, sValue, bInitChecked, bInitHidden)
 		{
+			var sEscapedLabel = $('<div />').text(sLabel).html();
 			var oItemElem = $('<div></div>')
 				.addClass('sfc_opc_mc_item')
 				.attr('data-value-code', sValue)
-				.append('<label><input type="checkbox" value="'+sValue+'"/>'+sLabel+'</label>');
+				.append('<label><input type="checkbox" value="'+sValue+'"/>'+sEscapedLabel+'</label>');

 			if(bInitChecked === true)
 			{