From 5d16ba135ac3a8f0a2118eb3a1118609d9f43da0 Mon Sep 17 00:00:00 2001
From: imperosol <thgirod@hotmail.com>
Date: Thu, 17 Oct 2024 08:12:09 +0200
Subject: [PATCH] fix: xss on select2 results

---
 core/static/webpack/utils/select2.ts | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/core/static/webpack/utils/select2.ts b/core/static/webpack/utils/select2.ts
index 8dc58f60..b3e5b4d3 100644
--- a/core/static/webpack/utils/select2.ts
+++ b/core/static/webpack/utils/select2.ts
@@ -265,17 +265,22 @@ export function itemFormatter(user: { loading: boolean; text: string }) {
 export function selectItemBuilder(pictureGetter?: (item: RemoteResult) => string) {
   return (item: RemoteResult) => {
     const picture = typeof pictureGetter === "function" ? pictureGetter(item) : null;
-    const imgHtml = picture
-      ? `<img 
-          src="${pictureGetter(item)}" 
-          alt="${item.text}" 
-          onerror="this.src = '/static/core/img/unknown.jpg'" 
-        />`
-      : "";
+    const wrapper = document.createElement("div");
+    wrapper.classList.add("select-item");
+    if (picture) {
+      const img = document.createElement("img");
+      img.src = picture;
+      img.alt = encodeURI(item.text);
+      img.onerror = () => {
+        img.src = "/static/core/img/unknown.jpg";
+      };
+      wrapper.appendChild(img);
+    }
+    const textSpan = document.createElement("span");
+    textSpan.classList.add("select-item-text");
+    textSpan.appendChild(document.createTextNode(item.text));
+    wrapper.appendChild(textSpan);
 
-    return $(`<div class="select-item">
-        ${imgHtml}
-         <span class="select-item-text">${item.text}</span>
-         </div>`);
+    return $(wrapper);
   };
 }