Update dev dependencies and fix issue 365 (#381)

- Fixed typo on `enableSecureText` description withing the documentation - Updated some dev dependencies from the project - Fixed issue #365 associated with a XSS vulnerability (`enableSecureText` most the set to true for this to be applied)
sa-si-dev · Jan 6, 2025 · 59b32a7 · 59b32a7
1 parent 10ec489
commit 59b32a7
Show file tree

Hide file tree

Showing 10 changed files with 2,886 additions and 2,577 deletions.
diff --git a/dist-archive/virtual-select-1.0.46.min.js b/dist-archive/virtual-select-1.0.46.min.js
diff --git a/dist/virtual-select.js b/dist/virtual-select.js
diff --git a/dist/virtual-select.min.js b/dist/virtual-select.min.js
diff --git a/docs/assets/virtual-select.js b/docs/assets/virtual-select.js
diff --git a/docs/assets/virtual-select.min.js b/docs/assets/virtual-select.min.js
diff --git a/docs/properties.md b/docs/properties.md
@@ -67,7 +67,7 @@
 | disableAllOptionsSelectedText  | Boolean           | false                                                  | By default, when all values selected "All (10)" value text would be shown. Set true to show value text as "10 options selected".                                                                              |
 | showValueAsTags                | Boolean           | false                                                  | Show each selected values as tags with remove icon                                                                                                                                                            |
 | disableOptionGroupCheckbox     | Boolean           | false                                                  | Disable option group title checkbox                                                                                                                                                                           |
-| enableSecureText               | Boolean           | false                                                  | Set true to replace HTML tags from option's text (value and label) to prevent XSS attack. This feature is not enabled by default to avoid performance issue.                                                  |
+| enableSecureText               | Boolean           | false                                                  | Set true to replace HTML tags from option's text (value and label) to prevent XSS attack. This feature is not enabled by default to avoid performance issues.                                                  |
 | setValueAsArray                | Boolean           | false                                                  | Set value for hidden input in array format (e.g. '["1", "2"]')                                                                                                                                                |
 | emptyValue                     | String            |                                                        | Empty value to use for hidden input when no value is selected (e.g. 'null' or '[]' or 'none')                                                                                                                 |
 | disableValidation              | Boolean           | false                                                  | Disable required validation                                                                                                                                                                                   |

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -24,29 +24,29 @@
     "tooltip-plugin": "^1.0.16"
   },
   "devDependencies": {
-    "@babel/core": "^7.20.5",
-    "@babel/preset-env": "^7.20.2",
-    "autoprefixer": "^10.4.13",
-    "babel-loader": "^9.1.0",
+    "@babel/core": "^7.26.0",
+    "@babel/preset-env": "^7.26.0",
+    "autoprefixer": "^10.4.20",
+    "babel-loader": "^9.2.1",
     "css-loader": "^6.7.2",
-    "cypress": "^13.8.0",
+    "cypress": "^13.17.0",
     "docsify-cli": "^4.4.4",
     "eslint": "^8.29.0",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-import-resolver-webpack": "^0.13.2",
     "eslint-plugin-import": "^2.26.0",
     "eslint-plugin-sonarjs": "^0.17.0",
     "filemanager-webpack-plugin": "^8.0.0",
-    "mini-css-extract-plugin": "^2.7.2",
+    "mini-css-extract-plugin": "^2.9.2",
     "popover-plugin": "^1.0.13",
-    "postcss-loader": "^7.0.2",
+    "postcss-loader": "^7.3.4",
     "sass": "^1.56.1",
-    "sass-loader": "^13.2.0",
-    "stylelint": "^14.16.0",
+    "sass-loader": "^13.3.3",
+    "stylelint": "^14.16.1",
     "stylelint-config-sass-guidelines": "^9.0.1",
     "typescript": "^4.9.3",
     "unminified-webpack-plugin": "^3.0.0",
-    "webpack": "^5.75.0",
-    "webpack-cli": "^5.0.1"
+    "webpack": "^5.97.1",
+    "webpack-cli": "^5.1.4"
   }
 }
diff --git a/src/utils/utils.js b/src/utils/utils.js
@@ -166,4 +166,14 @@ export class Utils {
   static containsHTML(text) {
     return /<[a-z][\s\S]*>/i.test(text);
   }
+
+  /**
+   * @static
+   * @param {string} text
+   * @return {boolean}
+   * @memberof Utils
+   */
+  static containsHTMLorJS(text) {
+    return /<([a-z]+)[\s\S]*?>|on\w+="[^"]*"/i.test(text);
+  }
 }
diff --git a/src/virtual-select.js b/src/virtual-select.js
@@ -3139,8 +3139,8 @@ export class VirtualSelect {
     if (!text || !this.enableSecureText) {
       return text;
     }
-
-    this.$secureText.nodeValue = text;
+    /** escape potentially harmful JavaScript so, label and value fields cannot trigger XSS */
+    this.$secureText.nodeValue = Utils.replaceDoubleQuotesWithHTML(text);
 
     return this.$secureDiv.innerHTML;
   }