ux icon indicating copy to clipboard operation
ux copied to clipboard
verified publisher icon symfony

[Autocomplete] Escape remote data

Open comnuoc opened this issue 1 year ago • 5 comments

Currently, the script does not escape remote data and may have XSS vulnerabilities.

render: {
    option: function (item: any) {
        return `<div>${item.text}</div>`;
    },
    item: function (item: any) {
        return `<div>${item.text}</div>`;
    },

Can we escape remote data by default? https://tom-select.js.org/docs/#render-templates

render: {
    option: function (item: any, escape:typeof escape_html) {
        return `<div>${escape(item.text)}</div>`;
    },
    item: function (item: any, escape:typeof escape_html) {
        return `<div>${escape(item.text)}</div>`;
    },

or escape data based on option options_as_html

comnuoc avatar Mar 13 '24 22:03 comnuoc

Are you feeling up for a PR ?

smnandre avatar Mar 14 '24 22:03 smnandre

I'm sorry, I don't have time for now. Could you please help?

comnuoc avatar Mar 15 '24 06:03 comnuoc