-
Bug
-
Resolution: Fixed
-
Major
-
9.0.0
-
Security Level: Jimmy
-
ZK 9.0.1 S1
-
None
Steps to Reproduce
<chosenbox width="200px"/>
paste/type the text: <img src=img onError=alert('hello')>
Current Result
the onError handler execute
Expected Result
entered text should be treated as text
-> not evaluated as HTML/JS
Debug Information
https://github.com/zkoss/zkcml/blob/master/zkmax/src/archive/web/js/zkmax/inp/Chosenbox.js#L1029
the code measuring the text width uses innerHTML which evaluates the text as html
Workaround
override the _fixInputWidth method replacing innerHTML by textContent
zk.afterLoad('zkmax.inp', function() {
var xChosenbox = {};
zk.override(zkmax.inp.Chosenbox.prototype, xChosenbox, {
_fixInputWidth : function() {
var n = this.$n(),
inp = this.$n('inp'),
txcnt = this.$n('txcnt'),
oldh = jq(n).height(),
width,
max = parseInt(this._width) - 10;
// copy value to hidden txcnt
txcnt.textContent = inp.value; /*patched this line*/
// get width from hidden txcnt
width = jq(txcnt).width() + 30;
if (width > max)
inp.style.width = max + 'px';
else
inp.style.width = width + 'px';
if (jq(n).height() != oldh)
this._updatePopupPosition(n, this.$n('pp'));
if (this.fixInputWidth)
clearTimeout(this.fixInputWidth);
this.fixInputWidth = null;
}
});//zk.override
});//zk.afterLoad
