fix xss vulnerability when deleting labels

This commit is contained in:
John Mitchell
2016-06-29 14:40:53 -04:00
parent 9bd05abcf3
commit d539a6715c
2 changed files with 8 additions and 4 deletions

View File

@@ -7,7 +7,8 @@ export default
'ProcessErrors', 'ProcessErrors',
'Prompt', 'Prompt',
'$q', '$q',
function(templateUrl, Wait, Rest, GetBasePath, ProcessErrors, Prompt, $q) { '$filter',
function(templateUrl, Wait, Rest, GetBasePath, ProcessErrors, Prompt, $q, $filter) {
return { return {
restrict: 'E', restrict: 'E',
scope: false, scope: false,
@@ -65,7 +66,7 @@ export default
Prompt({ Prompt({
hdr: 'Remove Label from ' + templateName, hdr: 'Remove Label from ' + templateName,
body: '<div class="Prompt-bodyQuery">Confirm the removal of the <span class="Prompt-emphasis">' + labelName + '</span> label.</div>', body: '<div class="Prompt-bodyQuery">Confirm the removal of the <span class="Prompt-emphasis">' + $filter('sanitize')(labelName) + '</span> label.</div>',
action: action, action: action,
actionText: 'REMOVE' actionText: 'REMOVE'
}); });

View File

@@ -608,8 +608,8 @@ angular.module('Utilities', ['RestServices', 'Utilities', 'sanitizeFilter'])
* ] * ]
* ``` * ```
*/ */
.factory('CreateSelect2', [ .factory('CreateSelect2', ['$filter',
function () { function ($filter) {
return function (params) { return function (params) {
var element = params.element, var element = params.element,
@@ -641,6 +641,9 @@ angular.module('Utilities', ['RestServices', 'Utilities', 'sanitizeFilter'])
containerCssClass: 'Form-dropDown', containerCssClass: 'Form-dropDown',
width: '100%', width: '100%',
minimumResultsForSearch: Infinity, minimumResultsForSearch: Infinity,
escapeMarkup: function(m) {
return $filter('sanitize')(m);
}
}; };
// multiple-choice directive calls select2 but needs to do so without this custom adapter // multiple-choice directive calls select2 but needs to do so without this custom adapter