From 98d79424de3956944aa880980e8f5de9a2751e33 Mon Sep 17 00:00:00 2001 From: Timo Tijhof Date: Sun, 7 Jul 2024 02:02:41 +0100 Subject: [PATCH] HTML Reporter: Fix encoding of label for urlConfig multi-value item Cherry-picked from de3a37d7fb266f2e9e6719eb966fe5a5d8e6c9bb (3.0.0-dev) > When QUnit.config.urlConfig is used to create a multi-value option > (rather than string, as is more common), then `val.label` was not > escaped, which meant that if labels were to contain mention of an > HTML tag or otherwise contain "<" and ">", > these could glitch and break part of the toolbar rendering. > This is unlikely to be exploitable, e.g. not controlled by > URL parameters, and generally populated with literals. Even dynamic > menus that feed dropdown contents from external input are fine, > since this affects the top-level label only. --- src/html-reporter/html.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/html-reporter/html.js b/src/html-reporter/html.js index 2cbb0700d..fd5e0c427 100644 --- a/src/html-reporter/html.js +++ b/src/html-reporter/html.js @@ -137,7 +137,7 @@ const stats = { " title='" + escapedTooltip + "' />" + escapeText(val.label) + ''; } else { urlConfigHtml += "