Merge pull request #542 from themeum/harun

Security Fix - XSS on several page where course list bind.
themeum · Aug 28, 2023 · beaabf1 · beaabf1
2 parents 19d0f7b + d156d6f
commit beaabf1
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/assets/react/front/_select_dd_search.js b/assets/react/front/_select_dd_search.js
@@ -143,7 +143,7 @@ window.selectSearchField = (selectElement) => {
 		Array.from(options).forEach((item) => {
 			optionsList += `
             <div class="tutor-form-select-option">
-				<span tutor-dropdown-item data-key="${item.value}" class="tutor-nowrap-ellipsis" title="${item.text}">${item.text}</span>
+				<span tutor-dropdown-item data-key="${item.value}" class="tutor-nowrap-ellipsis" title="${tutor_esc_html(item.text)}">${tutor_esc_html(item.text)}</span>
             </div>
             `;
 		});

diff --git a/assets/react/lib/tutor.js b/assets/react/lib/tutor.js
@@ -432,6 +432,28 @@ window.tutor_toast = function( title, description, type, autoClose = true ) {
 	}
 };
 
+/**
+ * Escape HTML and return safe HTML
+ * 
+ * @since 2.2.4
+ * 
+ * @param {string} unsafeText HTML string
+ * @returns string
+ */
+window.tutor_esc_html = function (unsafeText) {
+	let safeHTML = ''
+	let div = document.createElement('div');
+	/**
+	 * When set an HTML string to an element's innerText
+	 * the browser automatically escapes any HTML tags and
+	 * treats the content as plain text.
+	 */
+	div.innerText = unsafeText;
+	safeHTML = div.innerHTML;
+	div.remove()
+
+	return safeHTML;
+}
 
 // enable custom selector when modal opens
 window.addEventListener('tutor_modal_shown', (e) => {