Skip to content

Commit 4fcd498

Browse files
author
pipeline
committed
v27.1.52 is released
1 parent b9828f2 commit 4fcd498

File tree

226 files changed

+11972
-6870
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

226 files changed

+11972
-6870
lines changed

controls/barcodegenerator/CHANGELOG.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## [Unreleased]
44

5-
## 27.1.51 (2024-09-30)
5+
## 27.1.52 (2024-10-08)
66

77
### Barcode
88

controls/barcodegenerator/package.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
"canteen": "^1.0.5",
2929
"jasmine-ajax": "^3.3.1",
3030
"jasmine-core": "^2.6.1",
31-
"karma": "6.4.2",
31+
"karma": "^1.7.0",
3232
"karma-chrome-launcher": "^2.2.0",
3333
"karma-generic-preprocessor": "^1.1.0",
3434
"karma-htmlfile-reporter": "^0.3.5",

controls/base/CHANGELOG.md

+8
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,14 @@
22

33
## [Unreleased]
44

5+
## 27.1.52 (2024-10-08)
6+
7+
### Common
8+
9+
#### Bug Fixes
10+
11+
- `#I628053` - Resolved an issue where the sanitizer function did not properly handle HTML entities.
12+
513
## 23.2.6 (2023-11-28)
614

715
### Common

controls/base/package.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@syncfusion/ej2-base",
3-
"version": "27.1.48",
3+
"version": "27.1.50",
44
"description": "A common package of Essential JS 2 base libraries, methods and class definitions",
55
"author": "Syncfusion Inc.",
66
"license": "SEE LICENSE IN license",
@@ -60,7 +60,7 @@
6060
"canteen": "^1.0.5",
6161
"jasmine-ajax": "^3.3.1",
6262
"jasmine-core": "^2.6.1",
63-
"karma": "6.4.2",
63+
"karma": "^1.7.0",
6464
"karma-chrome-launcher": "^2.2.0",
6565
"karma-generic-preprocessor": "^1.1.0",
6666
"karma-htmlfile-reporter": "^0.3.5",

controls/base/spec/santize-helper.spec.ts

+4
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ describe('Sanitize Html Helper', () => {
99
let innerHTML: string = `<div>
1010
<div id="inline-event" onmouseover='javascript:alert(1)'></div>
1111
<div id="onpropertychange" onpropertychange='javascript:alert(1)'></div>
12+
<a id="html-entity" href="jav&#x09;ascript:alert('XSS')" title="http://qwef" target="_blank" aria-label="Open in new window">qwef</a>
1213
<script>alert('hi')</script>
1314
<style> </style>
1415
<img src="javascript:alert('XSS Image');"/>
@@ -62,6 +63,9 @@ describe('Sanitize Html Helper', () => {
6263
it('should remove onpropertychange attribute', () => {
6364
expect(htmlObject.querySelector('#onpropertychange').hasAttribute('onpropertychange')).toBe(false);
6465
});
66+
it('should remove Html entity with href javascript alert', () => {
67+
expect(htmlObject.querySelector('#html-entity').hasAttribute('href')).toBe(false);
68+
});
6569
afterAll(() => {
6670
detach(htmlObject);
6771
});

controls/base/src/sanitize-helper.ts

+12-3
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@ const removeTags: string[] = [
4949

5050
const removeAttrs: SanitizeRemoveAttrs[] = [
5151
{ attribute: 'href', selector: '[href*="javascript:"]' },
52+
{ attribute: 'href', selector: 'a[href]' },
5253
{ attribute: 'background', selector: '[background^="javascript:"]' },
5354
{ attribute: 'style', selector: '[style*="javascript:"]' },
5455
{ attribute: 'style', selector: '[style*="expression("]' },
@@ -214,9 +215,17 @@ export class SanitizeHtmlHelper {
214215
this.removeAttrs.forEach((item: { [key: string]: string }, index: number) => {
215216
const elements: NodeListOf<HTMLElement> = this.wrapElement.querySelectorAll(item.selector);
216217
if (elements.length > 0) {
217-
elements.forEach((element: Element) => {
218-
element.removeAttribute(item.attribute);
219-
});
218+
if (item.selector === 'a[href]') {
219+
elements.forEach((element: Element) => {
220+
if ((element.getAttribute(item.attribute)).replace(/\t|\s|&/, '').indexOf('javascript:alert') !== -1) {
221+
element.removeAttribute(item.attribute);
222+
}
223+
});
224+
} else {
225+
elements.forEach((element: Element) => {
226+
element.removeAttribute(item.attribute);
227+
});
228+
}
220229
}
221230
});
222231
}

controls/buttons/CHANGELOG.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## [Unreleased]
44

5-
## 27.1.51 (2024-09-30)
5+
## 27.1.52 (2024-10-08)
66

77
### Checkbox
88

controls/buttons/package.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
"canteen": "^1.0.5",
2727
"jasmine-ajax": "^3.3.1",
2828
"jasmine-core": "^2.6.1",
29-
"karma": "6.4.2",
29+
"karma": "^1.7.0",
3030
"karma-chrome-launcher": "^2.2.0",
3131
"karma-generic-preprocessor": "^1.1.0",
3232
"karma-htmlfile-reporter": "^0.3.5",

controls/calendars/package.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@syncfusion/ej2-calendars",
3-
"version": "27.1.50",
3+
"version": "27.1.51",
44
"description": "A complete package of date or time components with built-in features such as date formatting, inline editing, multiple (range) selection, range restriction, month and year selection, strict mode, and globalization.",
55
"author": "Syncfusion Inc.",
66
"license": "SEE LICENSE IN license",
@@ -31,7 +31,7 @@
3131
"canteen": "^1.0.5",
3232
"jasmine-ajax": "^3.3.1",
3333
"jasmine-core": "^2.6.1",
34-
"karma": "6.4.2",
34+
"karma": "^1.7.0",
3535
"karma-chrome-launcher": "^2.2.0",
3636
"karma-generic-preprocessor": "^1.1.0",
3737
"karma-htmlfile-reporter": "^0.3.5",

0 commit comments

Comments
 (0)