From 02d1369d5b2595501d1c23b51954fd1e945dba18 Mon Sep 17 00:00:00 2001 From: bartbutenaers Date: Tue, 23 Feb 2021 00:00:23 +0100 Subject: [PATCH] Escape all user input --- .../src/js/ui/common/editableList.js | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/packages/node_modules/@node-red/editor-client/src/js/ui/common/editableList.js b/packages/node_modules/@node-red/editor-client/src/js/ui/common/editableList.js index d65a4f9fd..7f823289e 100644 --- a/packages/node_modules/@node-red/editor-client/src/js/ui/common/editableList.js +++ b/packages/node_modules/@node-red/editor-client/src/js/ui/common/editableList.js @@ -94,19 +94,7 @@ } buttons.forEach(function(button) { - var text = ""; - var titleAttribute=""; - if (button.icon) { - text = ' '; - } - if (button.label) { - text += button.label; - } - if (button.title) { - titleAttribute = 'title="'+button.title+'"'; - } - $('') - .text(text) + var element = $('') .appendTo(that.topContainer) .on("click", function(evt) { evt.preventDefault(); @@ -114,6 +102,16 @@ button.click(evt); } }); + + if (button.title) { + element.attr("title", button.title); + } + if (button.icon) { + element.append($("").attr("class", button.icon)); + } + if (button.label) { + element.append($("").text(" " + button.label)); + } }); if (this.element.css("position") === "absolute") {