Skip to content

Checkboxradio's label text being evaluated as HTML on refresh #2101

New issue
New issue
Closed
#2102
Closed
Checkboxradio's label text being evaluated as HTML on refresh#2101
#2102
Assignees
mgol
Labels
BugComp: Checkboxradio
Milestone
 
1.13.2
@Elkano

Description

@Elkano
Elkano
opened on Jul 8, 2022

If you generate a Checkboxradio from a checkbox/radio with a label that contains encoded HTML, e.g. <em>test</em> this will work fine at first.
If however a refresh is triggered on that instance (explicitly or e.g. by turning it into a Controlgroup), the previously escaped HTML will now be evaluated.

If the label was created based on some user input, this could lead to unexpected code execution even though the initial output was escaped.

Example:
https://jsfiddle.net/69krwj75/

This is caused by the initial label being read as text (and thus decoded) for text nodes.

jquery-ui/ui/widgets/checkboxradio.js

Line 78 in d66fdd5

that.originalLabel += this.nodeType === 3 ? $( this ).text() : this.outerHTML;

When the label is later updated, it is however done via append.

jquery-ui/ui/widgets/checkboxradio.js

Line 263 in d66fdd5

this.label.append( this.options.label );

A fix would likely be to read the initial label text as HTML as well to preserve the encoding of the entities, however the likely was some reason to do things the way they currently are.

Judging from the blame, this bug has existed since the initial code from 8 years ago.

I'm aware that the teams resources are limited but I wanted to at least report the bug.
As a workaround, one can wrap their text into a <span> and thus causing it to be read via this.outerHTML instead.

Metadata

Metadata

Assignees

Labels

BugComp: Checkboxradio

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions