Fix ui_text XSS

to close #772

Author: Dave Conway-Jones

CHANGELOG.md

@@ -1,4 +1,8 @@
 
+### 3.1.9: Maintenance Release
+
+ - Fix Cross site scripting for ui_text format input. Issue #772
+
 ### 3.1.8: Maintenance Release
 
  - Use Node-RED CSS vars for ui-bas to help themeing. PR #763

dist/dashboard.appcache

@@ -1,5 +1,5 @@
 CACHE MANIFEST
-# Time: Wed May 25 2022 11:23:30 GMT+0100 (British Summer Time)
+# Time: Wed Aug 24 2022 17:30:31 GMT+0100 (British Summer Time)
 
 CACHE:
 i18n.js
@@ -26,4 +26,4 @@ loading.html
 NETWORK:
 *
 
-# hash: 22f744c7102e4eb0375d482c7bd34ac0d407159d34773e84e1f5087d0b6444d3
+# hash: 9ff936fabba7ec5170a4f63f8f6b72aa1343c36c57f8382848eb81dae9ca5512

dist/js/app.min.js

@@ -1,6 +1,6 @@
 {
     "name": "node-red-dashboard",
-    "version": "3.1.8",
+    "version": "3.1.9",
     "description": "A set of dashboard nodes for Node-RED",
     "keywords": [
         "node-red"

package.json

@@ -12,28 +12,58 @@ angular.module('ui').controller('uiComponentController', ['$scope', 'UiEvents',
             var me = this;
 
             if (typeof me.item.format === "string") {
-                me.item.getText = $interpolate(me.item.format).bind(null, me.item);
+                if (me.item.format.indexOf("constructor") === -1) {
+                    me.item.getText = $interpolate(me.item.format).bind(null, me.item);
+                }
+                else {
+                    me.item.getText = function() { return me.item.format };
+                }
             }
 
             if (typeof me.item.label === "string") {
-                me.item.getLabel = $interpolate(me.item.label).bind(null, me.item);
-                me.item.safeLabel = "nr-dashboard-widget-" + (me.item.label).replace(/\W/g,'_');
+                if (me.item.label.indexOf("constructor") === -1) {
+                    me.item.getLabel = $interpolate(me.item.label).bind(null, me.item);
+                    me.item.safeLabel = "nr-dashboard-widget-" + (me.item.label).replace(/\W/g,'_');
+                }
+                else {
+                    me.item.getText = function() { return me.item.label };
+                }
             }
 
             if (typeof me.item.tooltip === "string") {
-                me.item.getTooltip = $interpolate(me.item.tooltip).bind(null, me.item);
+                if (me.item.tooltip.indexOf("constructor") === -1) {
+                    me.item.getTooltip = $interpolate(me.item.tooltip).bind(null, me.item);
+                }
+                else {
+                    me.item.getText = function() { return me.item.tooltip };
+                }
             }
 
             if (typeof me.item.color === "string") {
-                me.item.getColor = $interpolate(me.item.color).bind(null, me.item);
+                if (me.item.color.indexOf("constructor") === -1) {
+                    me.item.getColor = $interpolate(me.item.color).bind(null, me.item);
+                }
+                else {
+                    me.item.getText = function() { return me.item.color };
+                }
             }
 
             if (typeof me.item.icon === "string") {
-                me.item.getIcon = $interpolate(me.item.icon).bind(null, me.item);
+                if (me.item.icon.indexOf("constructor") === -1) {
+                    me.item.getIcon = $interpolate(me.item.icon).bind(null, me.item);
+                }
+                else {
+                    me.item.getText = function() { return me.item.icon };
+                }
             }
 
             if (typeof me.item.units === "string") {
-                me.item.getUnits = $interpolate(me.item.units).bind(null, me.item);
+                if (me.item.units.indexOf("constructor") === -1) {
+                    me.item.getUnits = $interpolate(me.item.units).bind(null, me.item);
+                }
+                else {
+                    me.item.getText = function() { return me.item.units };
+                }
             }
 
             me.init = function () {