From 2209bc1b92253e3fd8ec2412d9b47b528e1c35b3 Mon Sep 17 00:00:00 2001
From: alexandraRamanenka
 <60643585+alexandraRamanenka@users.noreply.github.com>
Date: Tue, 31 Oct 2023 10:36:17 +0200
Subject: [PATCH] FIO-7466: Fixed an issue where code inside tolltips will be
 executed (#5392)

* FIO-7466: Fixed an issue where code inside tolltips/descriptions will be executed

* Removed console.log
---
 .../_classes/component/Component.js           |  2 +-
 .../_classes/component/Component.unit.js      | 14 +++++++++++
 .../_classes/component/fixtures/comp5.js      | 24 +++++++++++++++++++
 .../_classes/component/fixtures/index.js      |  3 ++-
 4 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 src/components/_classes/component/fixtures/comp5.js

diff --git a/src/components/_classes/component/Component.js b/src/components/_classes/component/Component.js
index c64abaa4eb..1e15ff96ef 100644
--- a/src/components/_classes/component/Component.js
+++ b/src/components/_classes/component/Component.js
@@ -1223,7 +1223,7 @@ export default class Component extends Element {
           placement: 'right',
           zIndex: 10000,
           interactive: true,
-          content: this.t(tooltipText, { _userInput: true }),
+          content: this.t(this.sanitize(tooltipText), { _userInput: true }),
         });
       }
     });
diff --git a/src/components/_classes/component/Component.unit.js b/src/components/_classes/component/Component.unit.js
index 7726f1b97c..46606065f2 100644
--- a/src/components/_classes/component/Component.unit.js
+++ b/src/components/_classes/component/Component.unit.js
@@ -9,6 +9,7 @@ import { comp1 } from './fixtures';
 import _merge from 'lodash/merge';
 import comp3 from './fixtures/comp3';
 import comp4 from './fixtures/comp4';
+import comp5 from './fixtures/comp5';
 
 describe('Component', () => {
   it('Should create a Component', (done) => {
@@ -356,4 +357,17 @@ describe('Component', () => {
       .catch(done);
     });
   });
+
+  it('Should not execute code inside Tooltips/Description', (done) => {
+    const formElement = document.createElement('div');
+    const form = new Webform(formElement);
+
+    form.setForm(comp5).then(() => {
+      setTimeout(() => {
+        assert.equal(window._ee, undefined, 'Should not execute code inside Tooltips/Description');
+        done();
+      }, 200);
+    })
+      .catch(done);
+  });
 });
diff --git a/src/components/_classes/component/fixtures/comp5.js b/src/components/_classes/component/fixtures/comp5.js
new file mode 100644
index 0000000000..68806c95d7
--- /dev/null
+++ b/src/components/_classes/component/fixtures/comp5.js
@@ -0,0 +1,24 @@
+export default {
+  type: 'form',
+  display: 'form',
+  components: [
+    {
+      label: 'Text Field',
+      description: "<img <img src='https://somesite' onerror='var _ee = 2' >",
+      tooltip: "<img src='https://somesite' onerror='var _ee = 1 >",
+      applyMaskOn: 'change',
+      tableView: true,
+      key: 'textField',
+      type: 'textfield',
+      input: true
+    },
+    {
+      type: 'button',
+      label: 'Submit',
+      key: 'submit',
+      disableOnInvalid: true,
+      input: true,
+      tableView: false
+    }
+  ],
+};
diff --git a/src/components/_classes/component/fixtures/index.js b/src/components/_classes/component/fixtures/index.js
index f1a58d4b03..e6e320dd66 100644
--- a/src/components/_classes/component/fixtures/index.js
+++ b/src/components/_classes/component/fixtures/index.js
@@ -2,4 +2,5 @@ import comp1 from './comp1';
 import comp2 from './comp2';
 import comp3 from './comp3';
 import comp4 from './comp4';
-export { comp1, comp2, comp3, comp4 };
+import comp5 from './comp5';
+export { comp1, comp2, comp3, comp4, comp5 };