From 16e39cda267c030f7ca357e8b5e05638caa5a217 Mon Sep 17 00:00:00 2001
From: e551763 <alexander.nikonoff@sbb.ch>
Date: Thu, 6 Jun 2024 16:01:27 +0200
Subject: [PATCH] fix: XSS vulnerability fix #2

---
 app/src/main/resources/js/custom-select.js | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/app/src/main/resources/js/custom-select.js b/app/src/main/resources/js/custom-select.js
index 4d8c4f0..9eaa976 100644
--- a/app/src/main/resources/js/custom-select.js
+++ b/app/src/main/resources/js/custom-select.js
@@ -128,8 +128,7 @@ SbbCustomSelect.prototype.selectMultipleValues = function(values) {
 
 SbbCustomSelect.prototype.handleChange = function(event) {
     if (this.mutiselect) {
-        // using the code without wrapping document.createTextNode(<code>).textContent causes XSS vulnerability
-        this.selectElement.innerHTML = "<option>" + document.createTextNode(this.getSelectedText().join(", ")).textContent + "</option>";
+        this.setSelectedOptionValue(this.getSelectedText().join(", "));
         if (this.changeListener) {
             this.changeListener(this.checkboxContainer.querySelectorAll('input[type="checkbox"]:checked'));
         }
@@ -147,8 +146,7 @@ SbbCustomSelect.prototype.handleChange = function(event) {
                     }
                 });
 
-                // using the code without wrapping document.createTextNode(<code>).textContent causes XSS vulnerability
-                this.selectElement.innerHTML = "<option>" + document.createTextNode(selectedCheckbox.parentElement.textContent).textContent + "</option>";
+                this.setSelectedOptionValue(selectedCheckbox.parentElement.textContent);
                 this.checkboxContainer.querySelectorAll('label').forEach(function (label) {
                     label.classList.remove("selected");
                     if (label.textContent === selectedCheckbox.parentElement.textContent) {
@@ -163,4 +161,14 @@ SbbCustomSelect.prototype.handleChange = function(event) {
         }
         this.checkboxContainer.style.display = "none";
     }
+
+    // Using code like:
+    // this.selectElement.innerHTML = "<option>" + document.createTextNode(selectedCheckbox.parentElement.textContent).textContent + "</option>"
+    // results in XSS vulnerability. The code below solves this issue.
+    SbbCustomSelect.prototype.setSelectedOptionValue = function(optionText) {
+        const optionElement = document.createElement("option");
+        optionElement.textContent = optionText;
+        this.selectElement.innerHTML = '';
+        this.selectElement.appendChild(optionElement);
+    };
 }
\ No newline at end of file