fix: XSS vulnerability fix #2

SchweizerischeBundesbahnen · Jun 6, 2024 · 16e39cd · 16e39cd
1 parent 3b49b93
commit 16e39cd
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/app/src/main/resources/js/custom-select.js b/app/src/main/resources/js/custom-select.js
@@ -128,8 +128,7 @@ SbbCustomSelect.prototype.selectMultipleValues = function(values) {
 
 SbbCustomSelect.prototype.handleChange = function(event) {
     if (this.mutiselect) {
-        // using the code without wrapping document.createTextNode(<code>).textContent causes XSS vulnerability
-        this.selectElement.innerHTML = "<option>" + document.createTextNode(this.getSelectedText().join(", ")).textContent + "</option>";
+        this.setSelectedOptionValue(this.getSelectedText().join(", "));
         if (this.changeListener) {
             this.changeListener(this.checkboxContainer.querySelectorAll('input[type="checkbox"]:checked'));
         }
@@ -147,8 +146,7 @@ SbbCustomSelect.prototype.handleChange = function(event) {
                     }
                 });
 
-                // using the code without wrapping document.createTextNode(<code>).textContent causes XSS vulnerability
-                this.selectElement.innerHTML = "<option>" + document.createTextNode(selectedCheckbox.parentElement.textContent).textContent + "</option>";
+                this.setSelectedOptionValue(selectedCheckbox.parentElement.textContent);
                 this.checkboxContainer.querySelectorAll('label').forEach(function (label) {
                     label.classList.remove("selected");
                     if (label.textContent === selectedCheckbox.parentElement.textContent) {
@@ -163,4 +161,14 @@ SbbCustomSelect.prototype.handleChange = function(event) {
         }
         this.checkboxContainer.style.display = "none";
     }
+
+    // Using code like:
+    // this.selectElement.innerHTML = "<option>" + document.createTextNode(selectedCheckbox.parentElement.textContent).textContent + "</option>"
+    // results in XSS vulnerability. The code below solves this issue.
+    SbbCustomSelect.prototype.setSelectedOptionValue = function(optionText) {
+        const optionElement = document.createElement("option");
+        optionElement.textContent = optionText;
+        this.selectElement.innerHTML = '';
+        this.selectElement.appendChild(optionElement);
+    };
 }