FIO-7544: Fixes an issue where scripts inside HTML component will be …

…executed during interpolation (#5418) * FIO-7544: Fixes an issue where scripts inside HTML component will be executed during interpolation * Refactoring
formio · Dec 21, 2023 · cde5f97 · cde5f97
1 parent 230af91
commit cde5f97
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 8 deletions.
diff --git a/src/components/html/HTML.js b/src/components/html/HTML.js
@@ -45,13 +45,15 @@ export default class HTMLComponent extends Component {
     }
 
     const submission = _.get(this.root, 'submission', {});
-    const content = this.component.content ? this.interpolate(this.component.content, {
-      metadata: submission.metadata || {},
-      submission: submission,
-      data: this.rootValue,
-      row: this.data
+    const content = this.component.content ? this.interpolate(
+      this.sanitize(this.component.content, this.shouldSanitizeValue),
+      {
+        metadata: submission.metadata || {},
+        submission: submission,
+        data: this.rootValue,
+        row: this.data
     }) : '';
-    return this.sanitize(content, this.shouldSanitizeValue);
+    return content;
   }
 
   get singleTags() {

diff --git a/src/components/html/HTML.unit.js b/src/components/html/HTML.unit.js
@@ -1,11 +1,13 @@
+import Webform from '../../Webform';
 import Harness from '../../../test/harness';
 import HTMLComponent from './HTML';
 import sinon from 'sinon';
 import assert from 'power-assert';
 
 import {
   comp1,
-  comp2
+  comp2,
+  comp3,
 } from './fixtures';
 
 describe('HTML Component', () => {
@@ -30,4 +32,18 @@ describe('HTML Component', () => {
       assert.equal(emit.callCount, 0);
     });
   });
+
+  it('Should not execute scripts inside HTML component', (done) => {
+    const formElement = document.createElement('div');
+    const form = new Webform(formElement);
+
+    const alert = sinon.spy(window, 'alert');
+    form.setForm(comp3).then(() => {
+      setTimeout(() => {
+        assert.equal(alert.callCount, 0);
+        done();
+      }, 200);
+    })
+      .catch(done);
+  });
 });
diff --git a/src/components/html/fixtures/comp3.js b/src/components/html/fixtures/comp3.js
@@ -0,0 +1,29 @@
+export default {
+  type: 'form',
+  display: 'form',
+  components: [
+    {
+      label: 'HTML',
+      attrs: [
+        {
+          attr: '',
+          value: '',
+        },
+      ],
+      content: '<img src=1 onerror=alert("htmlContent")>',
+      refreshOnChange: false,
+      key: 'html',
+      type: 'htmlelement',
+      input: false,
+      tableView: false,
+    },
+    {
+      type: 'button',
+      label: 'Submit',
+      key: 'submit',
+      disableOnInvalid: true,
+      input: true,
+      tableView: false,
+    },
+  ],
+};
diff --git a/src/components/html/fixtures/index.js b/src/components/html/fixtures/index.js
@@ -1,3 +1,4 @@
 import comp1 from './comp1';
 import comp2 from './comp2';
-export { comp1, comp2 };
+import comp3 from './comp3';
+export { comp1, comp2, comp3 };