From b6a0c933b5e93730b0188c95159d65f22838bea1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20W=C3=B3js?= Date: Thu, 25 Nov 2021 14:06:21 +0100 Subject: [PATCH] Merge pull request from GHSA-fxwm-rx68-p5vx --- .../js/OnlineEditor/buttons/ez-btn-customtag-update.js | 7 ++++++- .../js/OnlineEditor/plugins/base/ez-custom-tag-base.js | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/bundle/Resources/public/js/OnlineEditor/buttons/ez-btn-customtag-update.js b/src/bundle/Resources/public/js/OnlineEditor/buttons/ez-btn-customtag-update.js index b43ba8a6..bc2b2647 100644 --- a/src/bundle/Resources/public/js/OnlineEditor/buttons/ez-btn-customtag-update.js +++ b/src/bundle/Resources/public/js/OnlineEditor/buttons/ez-btn-customtag-update.js @@ -263,7 +263,12 @@ export default class EzBtnCustomTagUpdate extends EzWidgetButton { */ createAttributes() { return Object.keys(this.attributes).reduce( - (total, attr) => `${total}

${this.attributes[attr].label}: ${this.state.values[attr].value}

`, + (total, attr) => { + const label = this.attributes[attr].label; + const value = window.eZ.helpers.text.escapeHTML(this.state.values[attr].value); + + return `${total}

${label}: ${value}

`; + }, '' ); } diff --git a/src/bundle/Resources/public/js/OnlineEditor/plugins/base/ez-custom-tag-base.js b/src/bundle/Resources/public/js/OnlineEditor/plugins/base/ez-custom-tag-base.js index 7bf5b967..d82a86c2 100644 --- a/src/bundle/Resources/public/js/OnlineEditor/plugins/base/ez-custom-tag-base.js +++ b/src/bundle/Resources/public/js/OnlineEditor/plugins/base/ez-custom-tag-base.js @@ -203,7 +203,7 @@ const customTagBaseDefinition = { return; } const attributes = Object.keys(customTagConfig.attributes).reduce((total, attr) => { - const value = this.getConfig(attr); + const value = global.eZ.helpers.text.escapeHTML(this.getConfig(attr)); return `${total}

${customTagConfig.attributes[attr].label}: ${value}

`; }, '');