Janky fix for Select2 bug

snipe · Mar 19, 2019 · 5848d9a · 5848d9a
1 parent bd85483
commit 5848d9a
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/resources/assets/js/snipeit.js b/resources/assets/js/snipeit.js
@@ -260,7 +260,18 @@ $(document).ready(function () {
     }
 
     function formatDataSelection (datalist) {
-        return datalist.text;
+        // This a heinous workaround for a known bug in Select2.
+        // Without this, the rich selectlists are vulnerable to XSS.
+        // Many thanks to @uberbrady for this fix. It ain't pretty,
+        // but it resolves the issue until Select2 addresses it on their end.
+        //
+        // Bug was reported in 2016 :{
+        // https://github.com/select2/select2/issues/4587
+
+        return datalist.text.replace(/>/g, '&gt;')
+            .replace(/</g, '&lt;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#039;');
     }
 
     // This handles the radio button selectors for the checkout-to-foo options