From c85fc65d68662dd6795539483ca348b4a8f2fd8e Mon Sep 17 00:00:00 2001 From: "Md.Harun-Ur-Rashid" Date: Mon, 28 Aug 2023 13:05:18 +0600 Subject: [PATCH 1/2] esc_html js helper added --- assets/react/lib/tutor.js | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/assets/react/lib/tutor.js b/assets/react/lib/tutor.js index f8a0d9da1..91f8dfb07 100644 --- a/assets/react/lib/tutor.js +++ b/assets/react/lib/tutor.js @@ -432,6 +432,28 @@ window.tutor_toast = function( title, description, type, autoClose = true ) { } }; +/** + * Escape HTML and return safe HTML + * + * @since 2.2.4 + * + * @param {string} unsafeText HTML string + * @returns string + */ +window.tutor_esc_html = function (unsafeText) { + let safeHTML = '' + let div = document.createElement('div'); + /** + * When set an HTML string to an element's innerText + * the browser automatically escapes any HTML tags and + * treats the content as plain text. + */ + div.innerText = unsafeText; + safeHTML = div.innerHTML; + div.remove() + + return safeHTML; +} // enable custom selector when modal opens window.addEventListener('tutor_modal_shown', (e) => { From d156d6fb59da374f33e0cb1afc88dc1f8a3e3597 Mon Sep 17 00:00:00 2001 From: "Md.Harun-Ur-Rashid" Date: Mon, 28 Aug 2023 13:05:50 +0600 Subject: [PATCH 2/2] fix - xss security on tutor dropdown select --- assets/react/front/_select_dd_search.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/react/front/_select_dd_search.js b/assets/react/front/_select_dd_search.js index 4af7f1802..d8cb8219f 100644 --- a/assets/react/front/_select_dd_search.js +++ b/assets/react/front/_select_dd_search.js @@ -143,7 +143,7 @@ window.selectSearchField = (selectElement) => { Array.from(options).forEach((item) => { optionsList += `
- ${item.text} + ${tutor_esc_html(item.text)}
`; });