IBX-9793: Fixed XSS issues in several places (see commit description)

* IBX-9793: Fix XSS in TagViewSelect
* IBX-9869: Fix XSS in search in the dropdown
* IBX-9901: Fix XSS in autocomplete
* IBX-9888: Fix XSS in Dashboard - Products by category
* IBX-9872: Use ibexa-taggify in ezkeyword
* IBX-9872: fix ezobjectrelationlist
* Taggify: handle input blur

Author: tischsoic

src/bundle/Resources/public/js/scripts/admin.search.autocomplete.content.js

@@ -20,7 +20,9 @@
                 return total;
             }
 
-            return index === 0 ? parentLocation.name : `${total} / ${parentLocation.name}`;
+            const parentLocationNameHTMLEscaped = escapeHTML(parentLocation.name);
+
+            return index === 0 ? parentLocationNameHTMLEscaped : `${total} / ${parentLocationNameHTMLEscaped}`;
         }, '');
         const breadcrumbsClass = !breadcrumb ? 'ibexa-global-search__autocomplete-item-breadcrumbs--empty' : '';
         const autocompleteItemTemplate = autocompleteContentTemplateNode.dataset.templateItem;

src/bundle/Resources/public/js/scripts/core/doughnut.chart.js

@@ -1,4 +1,6 @@
 (function (global, doc, ibexa, ChartDataLabels) {
+    const { escapeHTML } = ibexa.helpers.text;
+    const { dangerouslyInsertAdjacentHTML } = ibexa.helpers.dom;
     const IBEXA_WHITE = '#fff';
     const IBEXA_COLOR_BASE_DARK = '#878b90';
     const dataLabelsMap = new Map();
@@ -71,13 +73,14 @@
                         data.legend.forEach((legendItem, index) => {
                             dataLabelsMap.set(index, true);
 
+                            const legendItemHtmlEscaped = escapeHTML(legendItem);
                             const container = doc.createElement('div');
                             const renderedItemTemplate = itemTemplate
                                 .replace('{{ checked_color }}', data.backgroundColor[index])
                                 .replace('{{ dataset_index }}', index)
-                                .replace('{{ label }}', legendItem);
+                                .replace('{{ label }}', legendItemHtmlEscaped);
 
-                            container.insertAdjacentHTML('beforeend', renderedItemTemplate);
+                            dangerouslyInsertAdjacentHTML(container, 'beforeend', renderedItemTemplate);
 
                             const checkboxNode = container.querySelector('.ibexa-chart-legend__item-wrapper');
 

src/bundle/Resources/public/js/scripts/core/dropdown.js

@@ -1,4 +1,7 @@
 (function (global, doc, ibexa, bootstrap, Translator) {
+    const { escapeHTML, escapeHTMLAttribute } = ibexa.helpers.text;
+    const { dangerouslySetInnerHTML, dangerouslyInsertAdjacentHTML } = ibexa.helpers.dom;
+
     const EVENT_VALUE_CHANGED = 'change';
     const RESTRICTED_AREA_ITEMS_CONTAINER = 190;
     const MINIMUM_LETTERS_TO_FILTER = 3;
@@ -104,10 +107,10 @@
         createSelectedItem(value, label, icon) {
             const container = doc.createElement('div');
             const selectedItemRendered = this.selectedItemTemplate
-                .replaceAll('{{ value }}', ibexa.helpers.text.escapeHTMLAttribute(value))
+                .replaceAll('{{ value }}', escapeHTMLAttribute(value))
                 .replaceAll('{{ label }}', label);
 
-            container.insertAdjacentHTML('beforeend', selectedItemRendered);
+            dangerouslyInsertAdjacentHTML(container, 'beforeend', selectedItemRendered);
 
             const selectedItemNode = container.querySelector('.ibexa-dropdown__selected-item');
             const removeSelectionBtn = selectedItemNode.querySelector('.ibexa-dropdown__remove-selection');
@@ -341,7 +344,7 @@
             const separator = this.itemsListContainer.querySelector('.ibexa-dropdown__separator');
             const emptyMessage = Translator.trans(
                 /*@Desc("No results found for "%phrase%"")*/ 'dropdown.no_results',
-                { phrase: searchedTerm },
+                { phrase: escapeHTML(searchedTerm) },
                 'ibexa_dropdown',
             );
             let hideSeparator = true;
@@ -378,7 +381,10 @@
 
             this.itemsListContainer.toggleAttribute('hidden', !anyItemVisible);
             this.itemsListFilterEmptyContainer.toggleAttribute('hidden', anyItemVisible);
-            this.itemsListFilterEmptyContainer.querySelector('.ibexa-dropdown__items-list-filter-empty-message').innerHTML = emptyMessage;
+
+            const emptyMessageNode = this.itemsListFilterEmptyContainer.querySelector('.ibexa-dropdown__items-list-filter-empty-message');
+
+            dangerouslySetInnerHTML(emptyMessageNode, emptyMessage);
         }
 
         itemsPopoverContent() {
@@ -434,9 +440,7 @@
 
         createOption(value, label) {
             const container = doc.createElement('div');
-            const itemRendered = this.itemTemplate
-                .replaceAll('{{ value }}', ibexa.helpers.text.escapeHTMLAttribute(value))
-                .replaceAll('{{ label }}', label);
+            const itemRendered = this.itemTemplate.replaceAll('{{ value }}', escapeHTMLAttribute(value)).replaceAll('{{ label }}', label);
 
             container.insertAdjacentHTML('beforeend', itemRendered);
 

src/bundle/Resources/public/js/scripts/core/tag.view.select.js

@@ -1,4 +1,7 @@
 (function (global, doc, ibexa) {
+    const { escapeHTML } = ibexa.helpers.text;
+    const { dangerouslyAppend } = ibexa.helpers.dom;
+
     class TagViewSelect {
         constructor(config) {
             this.inputSelector = config.inputSelector || 'input';
@@ -74,14 +77,14 @@
 
             items.forEach((item) => {
                 const { id, name } = item;
-                const itemTemplate = this.selectedItemTemplate.replace('{{ id }}', id).replaceAll('{{ name }}', name);
+                const itemTemplate = this.selectedItemTemplate.replace('{{ id }}', id).replaceAll('{{ name }}', escapeHTML(name));
                 const range = doc.createRange();
                 const itemHtmlWidget = range.createContextualFragment(itemTemplate);
                 const deleteButton = itemHtmlWidget.querySelector('.ibexa-tag-view-select__selected-item-tag-remove-btn');
 
                 deleteButton.toggleAttribute('disabled', false);
                 deleteButton.addEventListener('click', () => this.removeItem(String(id)), false);
-                this.listContainer.append(itemHtmlWidget);
+                dangerouslyAppend(this.listContainer, itemHtmlWidget);
             });
 
             this.inputField.dispatchEvent(new Event('change'));

src/bundle/Resources/public/js/scripts/core/taggify.js

@@ -1,4 +1,7 @@
 (function (global, doc, ibexa) {
+    const { escapeHTML, escapeHTMLAttribute } = ibexa.helpers.text;
+    const { dangerouslyInsertAdjacentHTML } = ibexa.helpers.dom;
+
     class Taggify {
         constructor(config) {
             this.container = config.container;
@@ -10,6 +13,7 @@
 
             this.attachEventsToTag = this.attachEventsToTag.bind(this);
             this.handleInputKeyUp = this.handleInputKeyUp.bind(this);
+            this.handleInputBlur = this.handleInputBlur.bind(this);
             this.addElementAttributes = this.addElementAttributes.bind(this);
         }
 
@@ -19,6 +23,14 @@
             return this.acceptKeys.includes(key);
         }
 
+        removeAcceptKey(name) {
+            if (this.acceptKeys.includes(name.at(-1))) {
+                return name.slice(0, -1);
+            }
+
+            return name;
+        }
+
         addElementAttributes(element, attrs) {
             const getValue = (value) => (typeof value === 'object' ? JSON.stringify(value) : value);
 
@@ -36,23 +48,37 @@
         }
 
         addTag(name, value, attrs = {}, tooltipAttrs = {}) {
+            if (!value || this.tags.has(value)) {
+                return;
+            }
+
             const tagTemplate = this.listNode.dataset.template;
-            const renderedTemplate = tagTemplate.replace('{{ name }}', name).replace('{{ value }}', value);
+            const nameHtmlEscaped = escapeHTML(name);
+            const valueHtmlAttributeEscaped = escapeHTMLAttribute(value);
+            const renderedTemplate = tagTemplate.replace('{{ name }}', nameHtmlEscaped).replace('{{ value }}', valueHtmlAttributeEscaped);
             const div = doc.createElement('div');
 
-            div.insertAdjacentHTML('beforeend', renderedTemplate);
+            dangerouslyInsertAdjacentHTML(div, 'beforeend', renderedTemplate);
 
             const tag = div.querySelector('.ibexa-taggify__list-tag');
             const tagNameNode = tag.querySelector('.ibexa-taggify__list-tag-name');
 
-            this.addElementAttributes(tag, attrs);
+            this.addElementAttributes(tag, { ...attrs, dataset: { ...attrs.dataset, value } });
             this.addElementAttributes(tagNameNode, tooltipAttrs);
             this.attachEventsToTag(tag, value);
             this.listNode.insertBefore(tag, this.inputNode);
             this.tags.add(value);
             this.afterTagsUpdate();
         }
 
+        removeTagWithValue(value) {
+            const tag = this.listNode.querySelector(`.ibexa-taggify__list-tag[data-value="${value}"]`);
+
+            if (tag) {
+                this.removeTag(tag, value);
+            }
+        }
+
         removeTag(tag, value) {
             this.tags.delete(value);
 
@@ -61,26 +87,49 @@
             this.afterTagsUpdate();
         }
 
+        removeAllTags() {
+            this.tags.forEach((tag) => {
+                const tagNode = this.listNode.querySelector(`.ibexa-taggify__list-tag[data-value="${tag}"]`);
+
+                if (tagNode) {
+                    tagNode.remove();
+                }
+            });
+
+            this.tags.clear();
+            this.afterTagsUpdate();
+        }
+
         attachEventsToTag(tag, value) {
             const removeBtn = tag.querySelector('.ibexa-taggify__btn--remove');
 
             removeBtn.addEventListener('click', () => this.removeTag(tag, value), false);
         }
 
+        handleInputBlur() {
+            const inputValue = this.inputNode.value.trim();
+
+            this.addTag(inputValue, inputValue);
+            this.inputNode.value = '';
+        }
+
         handleInputKeyUp(event) {
             if (this.tagsPattern && !this.tagsPattern.test(this.inputNode.value)) {
                 return;
             }
 
-            if (this.isAcceptKeyPressed(event.key) && this.inputNode.value && !this.tags.has(this.inputNode.value)) {
-                this.addTag(this.inputNode.value, this.inputNode.value);
+            if (this.isAcceptKeyPressed(event.key)) {
+                const nameWithoutAcceptKey = this.removeAcceptKey(this.inputNode.value);
+
+                this.addTag(nameWithoutAcceptKey, nameWithoutAcceptKey);
 
                 this.inputNode.value = '';
             }
         }
 
         init() {
             this.inputNode.addEventListener('keyup', this.handleInputKeyUp, false);
+            this.inputNode.addEventListener('blur', this.handleInputBlur, false);
         }
     }
 

src/bundle/Resources/public/js/scripts/fieldType/ezkeyword.js

@@ -1,29 +1,8 @@
-import { parse as parseTooltips } from '@ibexa-admin-ui/src/bundle/Resources/public/js/scripts/helpers/tooltips.helper';
-
 (function (global, doc, ibexa) {
     const SELECTOR_FIELD = '.ibexa-field-edit--ezkeyword';
-    const SELECTOR_TAGGIFY = '.ibexa-data-source__taggify';
+    const SELECTOR_TAGGIFY_CONTAINER = '.ibexa-data-source__taggify';
+    const SELECTOR_TAGGIFY = '.ibexa-data-source__taggify .ibexa-taggify';
     const SELECTOR_ERROR_NODE = '.ibexa-form-error';
-    const CLASS_TAGGIFY_FOCUS = 'ibexa-data-source__taggify--focused';
-    const ENTER_KEY_CODE = 13;
-    const COMMA_KEY_CODE = 188;
-    const tagsObserverConfig = {
-        childList: true,
-        subtree: true,
-    };
-    const addTooltipToTag = (mutationList) => {
-        mutationList.forEach((mutation) => {
-            if (mutation.target.classList.contains('taggify__tags')) {
-                mutation.addedNodes.forEach((addedNode) => {
-                    const labelElement = addedNode.querySelector('.taggify__tag-label');
-
-                    labelElement.title = labelElement.innerText;
-                });
-
-                parseTooltips(mutation.target);
-            }
-        });
-    };
 
     class EzKeywordValidator extends ibexa.BaseFieldValidator {
         /**
@@ -65,18 +44,16 @@ import { parse as parseTooltips } from '@ibexa-admin-ui/src/bundle/Resources/pub
     };
 
     doc.querySelectorAll(SELECTOR_FIELD).forEach((field) => {
-        const taggifyContainer = field.querySelector(SELECTOR_TAGGIFY);
-        const tagsObserver = new MutationObserver(addTooltipToTag);
-
-        tagsObserver.observe(taggifyContainer, tagsObserverConfig);
+        const taggifyContainer = field.querySelector(SELECTOR_TAGGIFY_CONTAINER);
+        const ibexaTaggifyNode = taggifyContainer.querySelector('.ibexa-taggify');
 
         const validator = new EzKeywordValidator({
             classInvalid: 'is-invalid',
             fieldSelector: SELECTOR_FIELD,
             eventsMap: [
                 {
                     isValueValidator: false,
-                    selector: `${SELECTOR_FIELD} .taggify__input`,
+                    selector: `${SELECTOR_FIELD} .ibexa-taggify__input`,
                     eventName: 'blur',
                     callback: 'validateKeywords',
                     errorNodeSelectors: [SELECTOR_ERROR_NODE],
@@ -91,37 +68,38 @@ import { parse as parseTooltips } from '@ibexa-admin-ui/src/bundle/Resources/pub
                 },
             ],
         });
-        const taggify = new global.Taggify({
-            containerNode: taggifyContainer,
-            displayLabel: false,
-            displayInputValues: false,
-            hotKeys: [ENTER_KEY_CODE, COMMA_KEY_CODE],
-        });
+
         const keywordInput = field.querySelector('.ibexa-data-source__input-wrapper .ibexa-data-source__input.form-control');
+        class EzKeywordTaggify extends ibexa.core.Taggify {
+            afterTagsUpdate() {
+                const tags = [...this.tags];
+
+                keywordInput.value = tags.join();
+                keywordInput.dispatchEvent(new Event('change'));
+            }
+        }
+        const taggify = new EzKeywordTaggify({
+            container: ibexaTaggifyNode,
+            acceptKeys: ['Enter', ','],
+        });
         const updateKeywords = updateValue.bind(this, keywordInput);
-        const addFocusState = () => taggifyContainer.classList.add(CLASS_TAGGIFY_FOCUS);
-        const removeFocusState = () => taggifyContainer.classList.remove(CLASS_TAGGIFY_FOCUS);
         const taggifyInput = taggifyContainer.querySelector('.taggify__input');
 
         if (keywordInput.required) {
             taggifyInput.setAttribute('required', true);
         }
 
         validator.init();
+        taggify.init();
 
         if (keywordInput.value.length) {
-            taggify.updateTags(
-                keywordInput.value.split(',').map((item) => ({
-                    id: Math.floor((1 + Math.random()) * 0x10000).toString(16),
-                    label: item,
-                })),
-            );
+            keywordInput.value.split(',').forEach((tag) => {
+                taggify.addTag(tag, tag);
+            });
         }
 
         taggifyContainer.addEventListener('tagsCreated', updateKeywords, false);
         taggifyContainer.addEventListener('tagRemoved', updateKeywords, false);
-        taggifyInput.addEventListener('focus', addFocusState, false);
-        taggifyInput.addEventListener('blur', removeFocusState, false);
 
         ibexa.addConfig('fieldTypeValidators', [validator], true);
     });

src/bundle/Resources/public/js/scripts/fieldType/ezobjectrelationlist.js

@@ -1,4 +1,7 @@
 (function (global, doc, ibexa, React, ReactDOM, Translator) {
+    const { dangerouslyInsertAdjacentHTML } = ibexa.helpers.dom;
+    const { escapeHTML, escapeHTMLAttribute } = ibexa.helpers.text;
+    const { formatShortDateTime } = ibexa.helpers.timezone;
     const CLASS_FIELD_SINGLE = 'ibexa-field-edit--ezobjectrelation';
     const SELECTOR_FIELD_MULTIPLE = '.ibexa-field-edit--ezobjectrelationlist';
     const SELECTOR_FIELD_SINGLE = '.ibexa-field-edit--ezobjectrelation';
@@ -72,9 +75,8 @@
         const closeUDW = () => udwRoot.unmount();
         const renderRows = (items) => {
             items.forEach((item, index) => {
-                relationsContainer.insertAdjacentHTML('beforeend', renderRow(item, index));
+                dangerouslyInsertAdjacentHTML(relationsContainer, 'beforeend', renderRow(item, index));
 
-                const { escapeHTML } = ibexa.helpers.text;
                 const itemNodes = relationsContainer.querySelectorAll('.ibexa-relations__item');
                 const itemNode = itemNodes[itemNodes.length - 1];
                 const contentId = escapeHTML(item.ContentInfo.Content._id);
@@ -168,17 +170,16 @@
         };
         const excludeDuplicatedItems = (items) => items.filter((item) => !selectedItems.includes(item.ContentInfo.Content._id));
         const renderRow = (item, index) => {
-            const { escapeHTML } = ibexa.helpers.text;
-            const { formatShortDateTime } = ibexa.helpers.timezone;
             const contentTypeName = ibexa.helpers.contentType.getContentTypeName(item.ContentInfo.Content.ContentTypeInfo.identifier);
-            const contentName = escapeHTML(item.ContentInfo.Content.TranslatedName);
-            const contentId = escapeHTML(item.ContentInfo.Content._id);
+            const contentTypeNameHtmlAttributeEscaped = escapeHTMLAttribute(contentTypeName);
+            const contentNameHtmlEscaped = escapeHTML(item.ContentInfo.Content.TranslatedName);
+            const contentIdHtmlEscaped = escapeHTML(item.ContentInfo.Content._id);
             const { rowTemplate } = relationsWrapper.dataset;
 
             return rowTemplate
-                .replace('{{ content_id }}', contentId)
-                .replace('{{ content_name }}', contentName)
-                .replace('{{ content_type_name }}', contentTypeName)
+                .replace('{{ content_id }}', contentIdHtmlEscaped)
+                .replace('{{ content_name }}', contentNameHtmlEscaped)
+                .replace('{{ content_type_name }}', contentTypeNameHtmlAttributeEscaped)
                 .replace('{{ published_date }}', formatShortDateTime(item.ContentInfo.Content.publishedDate))
                 .replace('{{ order }}', selectedItems.length + index + 1);
         };