search

foundryvtt / foundryvtt

Public issue tracking and documentation for Foundry Virtual Tabletop - software connecting RPG gamers in a shared multiplayer environment with an intuitive interface and powerful API.
https://foundryvtt.com/
192 stars 10 forks source link

HTMLStringTagsElement does not escape HTML when rendering entered tags #10785

Closed Fyorl closed 2 weeks ago

Fyorl commented 2 weeks ago

Originally reported by asheeon https://discord.com/channels/170995199584108546/1184176415139184731/1233702770293477387

ALL MODULES DISABLED? true OS, Hosting, Browser (if applicable): Windows 11 / Node / Chrome Short Description of bug: HTMLStringTagsElement directly renders content into the DOM without sanitization Simple steps to reproduce the bug: Create a HTMLStringTagsElement and add value <test value> you will find that instead of the string "" being rendered within the Tag's span, it will interpret it as an HTML element of <test value>. Screenshots and/or console errors:

image

Fyorl commented 2 weeks ago

This issue exists with the HTMLMultiSelectElement additionally

aaclayton commented 2 weeks ago

Leverage HTMLElement#textContent to do sanitization for us:

Image