FIO-7466: Fixed an issue where code inside tolltips will be executed (#…

…5392) * FIO-7466: Fixed an issue where code inside tolltips/descriptions will be executed * Removed console.log
formio · Oct 31, 2023 · 2209bc1 · 2209bc1
1 parent 69bce85
commit 2209bc1
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 2 deletions.
diff --git a/src/components/_classes/component/Component.js b/src/components/_classes/component/Component.js
@@ -1223,7 +1223,7 @@ export default class Component extends Element {
           placement: 'right',
           zIndex: 10000,
           interactive: true,
-          content: this.t(tooltipText, { _userInput: true }),
+          content: this.t(this.sanitize(tooltipText), { _userInput: true }),
         });
       }
     });

diff --git a/src/components/_classes/component/Component.unit.js b/src/components/_classes/component/Component.unit.js
@@ -9,6 +9,7 @@ import { comp1 } from './fixtures';
 import _merge from 'lodash/merge';
 import comp3 from './fixtures/comp3';
 import comp4 from './fixtures/comp4';
+import comp5 from './fixtures/comp5';
 
 describe('Component', () => {
   it('Should create a Component', (done) => {
@@ -356,4 +357,17 @@ describe('Component', () => {
       .catch(done);
     });
   });
+
+  it('Should not execute code inside Tooltips/Description', (done) => {
+    const formElement = document.createElement('div');
+    const form = new Webform(formElement);
+
+    form.setForm(comp5).then(() => {
+      setTimeout(() => {
+        assert.equal(window._ee, undefined, 'Should not execute code inside Tooltips/Description');
+        done();
+      }, 200);
+    })
+      .catch(done);
+  });
 });
diff --git a/src/components/_classes/component/fixtures/comp5.js b/src/components/_classes/component/fixtures/comp5.js
@@ -0,0 +1,24 @@
+export default {
+  type: 'form',
+  display: 'form',
+  components: [
+    {
+      label: 'Text Field',
+      description: "<img <img src='https://somesite' onerror='var _ee = 2' >",
+      tooltip: "<img src='https://somesite' onerror='var _ee = 1 >",
+      applyMaskOn: 'change',
+      tableView: true,
+      key: 'textField',
+      type: 'textfield',
+      input: true
+    },
+    {
+      type: 'button',
+      label: 'Submit',
+      key: 'submit',
+      disableOnInvalid: true,
+      input: true,
+      tableView: false
+    }
+  ],
+};
diff --git a/src/components/_classes/component/fixtures/index.js b/src/components/_classes/component/fixtures/index.js
@@ -2,4 +2,5 @@ import comp1 from './comp1';
 import comp2 from './comp2';
 import comp3 from './comp3';
 import comp4 from './comp4';
-export { comp1, comp2, comp3, comp4 };
+import comp5 from './comp5';
+export { comp1, comp2, comp3, comp4, comp5 };