fix(dropdown): possible XSS through select option text

lubber-de · web-flow · commit be4492b7b6ac · 2023-02-19T20:16:10.000+01:00
This PR fixes a possible XSS through an entity encoded select option text when converted into a FUI dropdown. Even if preserveHTML: false would prevent this, a select tag cannot contain html at all and if it contains entity encoded HTML instead, it should not be reconverted into html. The PR also fixes recreating the dropdown menu twice when no values are selected in a multiple dropdown Thanks to @brian-codes for reporting
diff --git a/src/definitions/modules/dropdown.js b/src/definitions/modules/dropdown.js
@@ -2076,7 +2076,7 @@
                                     values.push({
                                         name: name,
                                         value: value,
-                                        text: text,
+                                        text: module.escape.htmlEntities(text, true),
                                         disabled: disabled,
                                     });
                                 }
@@ -3459,7 +3459,7 @@
                             selectChanged = false
                         ;
                         $.each(mutations, function (index, mutation) {
-                            if ($(mutation.target).is('select, option, optgroup') || $(mutation.addedNodes).is('select')) {
+                            if ($(mutation.target).is('option, optgroup') || $(mutation.addedNodes).is('select') || ($(mutation.target).is('select') && mutation.type !== 'attributes')) {
                                 selectChanged = true;
 
                                 return false;
@@ -3768,7 +3768,7 @@
 
                         return text.replace(regExp.escape, '\\$&');
                     },
-                    htmlEntities: function (string) {
+                    htmlEntities: function (string, forceAmpersand) {
                         var
                             badChars     = /["'<>`]/g,
                             shouldEscape = /["&'<>`]/,
@@ -3784,7 +3784,7 @@
                             }
                         ;
                         if (shouldEscape.test(string)) {
-                            string = string.replace(/&(?![\d#a-z]{1,12};)/gi, '&amp;');
+                            string = string.replace(forceAmpersand ? /&/g : /&(?![\d#a-z]{1,12};)/gi, '&amp;');
 
                             return string.replace(badChars, escapedChar);
                         }
