Sanitize HTML on grid HTML widget

axelor · Jan 27, 2025 · e141366 · e141366
1 parent ea6d4f2
commit e141366
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/axelor-web/src/main/webapp/js/form/form.input.html.js b/axelor-web/src/main/webapp/js/form/form.input.html.js
@@ -489,6 +489,15 @@ ui.formInput('HtmlInline', 'Text', {
     var shellElement = $(shell.getElement());
     wrapper.resizable();
 
+    scope.$render_editable = function () {
+      var value = scope.getValue() || "";
+      var sanitizedValue = axelor.sanitize(value);
+      if (DOMPurify.removed.length) {
+        value = sanitizedValue;
+        model.$setViewValue(value);
+      }
+    };
+
     scope.waitForActions(function() {
       container = element.parents('.ui-dialog-content,.view-container').first();
       wrapper.height(field.height || 175).appendTo(container);

diff --git a/axelor-web/src/main/webapp/js/widget/widget.slickgrid.js b/axelor-web/src/main/webapp/js/widget/widget.slickgrid.js
@@ -506,7 +506,7 @@ _.extend(Factory.prototype, {
     }
 
     if (widget === "html") {
-      return value ? '<span>' + value + '</span>' : '';
+      return value ? '<span>' + axelor.sanitize(value) + '</span>' : '';
     }
 
     // try to get dotted field value from related object

diff --git a/changelogs/unreleased/security-html-widget-grid.yml b/changelogs/unreleased/security-html-widget-grid.yml
@@ -0,0 +1,4 @@
+
+---
+title: Sanitize HTML on grid HTML widget
+type: security