From 53fd41e74863c2ebb3c6f9686289736319480289 Mon Sep 17 00:00:00 2001
From: Stephen Abello <stephen.abello@combodo.com>
Date: Thu, 12 Aug 2021 14:20:20 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B04127=20Fix=20XSS=20vulnerability=20in=20?=
 =?UTF-8?q?autocomplete=20lists?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 js/extkeywidget.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/js/extkeywidget.js b/js/extkeywidget.js
index f41e27a0a..632ac3f13 100644
--- a/js/extkeywidget.js
+++ b/js/extkeywidget.js
@@ -239,7 +239,8 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 		.autocomplete("instance")._renderItem = function (ul, item) {
 			$(ul).addClass('selectize-dropdown');
 			var term = this.term.replace("/([\^\$\(\)\[\]\{\}\*\.\+\?\|\\])/gi", "\\$1");
-			var val = item.label.replace(new RegExp("(?![^&;]+;)(?!<[^<>]*)("+term+")(?![^<>]*>)(?![^&;]+;)", "gi"), "<strong>$1</strong>");
+			var val = $('<div>').text(item.label).html();
+			val = val.replace(new RegExp("(?![^&;]+;)(?!<[^<>]*)("+term+")(?![^<>]*>)(?![^&;]+;)", "gi"), "<strong>$1</strong>");
 			if (item.obsolescence_flag == '1') {
 				val = ' <span class="object-ref-icon text_decoration"><span class="fas fa-eye-slash object-obsolete fa-1x fa-fw"></span></span>'+val;
 			}