[DEV-2026] fixed XSS vulnerability in multiselect

CHERTS · Dec 12, 2021 · 7e75644 · 7e75644
1 parent 0f310eb
commit 7e75644
Showing 1 changed file with 32 additions and 6 deletions.
diff --git a/frontends/php/js/multiselect.js b/frontends/php/js/multiselect.js
@@ -766,7 +766,6 @@ jQuery(function($) {
 		var ms = $obj.data('multiSelect'),
 			is_new = item.isNew || false,
 			prefix = item.prefix || '',
-			search = ms.values.search.replace(/[.+?^${}()|[\]\\]/g, '\\$&').replace(/[*]/g, '\\\*?'),
 			$li = $('<li>', {
 				'data-id': item.id,
 				'data-label': prefix + item.name
@@ -784,11 +783,38 @@ jQuery(function($) {
 		}
 
 		// Highlight matched.
-		$li
-			.append(item.name.replace(new RegExp(search, 'gi'), function(match) {
-				return '<span' + (!is_new ? ' class="suggest-found"' : '') + '>' + match + '</span>';
-			}))
-			.toggleClass('suggest-new', is_new);
+		if (ms.values.search !== item.name) {
+			var text = item.name.toLowerCase(),
+				search = ms.values.search.toLowerCase().replace(/[*]+/g, ''),
+				start = 0,
+				end = 0;
+
+			while (search !== '' && text.indexOf(search, end) > -1) {
+				end = text.indexOf(search, end);
+
+				if (end > start) {
+					$li.append(document.createTextNode(item.name.substring(start, end)));
+				}
+
+				$li.append($('<span>', {
+					class: !is_new ? 'suggest-found' : '',
+					text: item.name.substring(end, end + search.length)
+				})).toggleClass('suggest-new', is_new);
+
+				end += search.length;
+				start = end;
+			}
+
+			if (end < item.name.length) {
+				$li.append(document.createTextNode(item.name.substring(end, item.name.length)));
+			}
+		}
+		else {
+			$li.append($('<span>', {
+				class: !is_new ? 'suggest-found' : '',
+				text: item.name
+			})).toggleClass('suggest-new', is_new);
+		}
 
 		$('ul', ms.values.available_div).append($li);
 	}