From 1dc7175772a523dbfa63c0845da5cf3b4ac00bd1 Mon Sep 17 00:00:00 2001 From: volkanceylan Date: Wed, 25 Jan 2023 12:46:07 +0300 Subject: [PATCH] Core: Added escapeHtml option to avoid XSS attacks via showLabel methods --- src/core.js | 15 ++++++++--- test/error-placement.js | 57 +++++++++++++++++++++++++++++++++++++++++ test/index.html | 6 +++++ 3 files changed, 75 insertions(+), 3 deletions(-) diff --git a/src/core.js b/src/core.js index 5a2fb1ce4..ab891487b 100644 --- a/src/core.js +++ b/src/core.js @@ -945,14 +945,23 @@ $.extend( $.validator, { error.removeClass( this.settings.validClass ).addClass( this.settings.errorClass ); // Replace message on existing label - error.html( message ); + if ( this.settings && this.settings.escapeHtml ) { + error.text( message || "" ); + } else { + error.html( message || "" ); + } } else { // Create error element error = $( "<" + this.settings.errorElement + ">" ) .attr( "id", elementID + "-error" ) - .addClass( this.settings.errorClass ) - .html( message || "" ); + .addClass( this.settings.errorClass ); + + if ( this.settings && this.settings.escapeHtml ) { + error.text( message || "" ); + } else { + error.html( message || "" ); + } // Maintain reference to the element to be placed into the DOM place = error; diff --git a/test/error-placement.js b/test/error-placement.js index 7c00ce0cd..05e5c565f 100644 --- a/test/error-placement.js +++ b/test/error-placement.js @@ -440,3 +440,60 @@ QUnit.test( "#1632: Error hidden, but input error class not removed", function( assert.equal( v.numberOfInvalids(), 0, "There is no error" ); assert.equal( box2.hasClass( "error" ), false, "Box2 should not have an error class" ); } ); + +QUnit.test( "test settings.escapeHtml undefined", function( assert ) { + var form = $( "#escapeHtmlForm1" ), + field = $( "#escapeHtmlForm1text" ); + + form.validate( { + messages: { + escapeHtmlForm1text: { + required: "" + } + } + } ); + + assert.ok( !field.valid() ); + assert.hasError( field, "required" ); + + var label = form.find( "label" ); + assert.equal( label.length, 1 ); + assert.equal( label.html(), "" ); + + label.html( "" ); + assert.ok( !field.valid() ); + assert.equal( label.html(), "" ); + + field.val( "foo" ); + assert.ok( field.valid() ); + assert.noErrorFor( field ); +} ); + +QUnit.test( "test settings.escapeHtml true", function( assert ) { + var form = $( "#escapeHtmlForm2" ), + field = $( "#escapeHtmlForm2text" ); + + form.validate( { + escapeHtml: true, + messages: { + escapeHtmlForm2text: { + required: "" + } + } + } ); + + assert.ok( !field.valid() ); + assert.hasError( field, "required" ); + + var label = form.find( "label" ); + assert.equal( label.length, 1 ); + assert.equal( label.html(), "<script>console.log('!!!');</script>" ); + + label.html( "" ); + assert.ok( !field.valid() ); + assert.equal( label.html(), "<script>console.log('!!!');</script>" ); + + field.val( "foo" ); + assert.ok( field.valid() ); + assert.noErrorFor( field ); +} ); diff --git a/test/index.html b/test/index.html index f27ad1d76..601f6a505 100644 --- a/test/index.html +++ b/test/index.html @@ -467,6 +467,12 @@

+ + pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy