Added escapeHTML function to escape component description

formio · Jan 3, 2024 · 99adc2c · 99adc2c
1 parent 106a33a
commit 99adc2c
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/src/components/_classes/component/Component.js b/src/components/_classes/component/Component.js
@@ -959,7 +959,15 @@ export default class Component extends Element {
   renderTemplate(name, data = {}, modeOption) {
     // Need to make this fall back to form if renderMode is not found similar to how we search templates.
     const mode = modeOption || this.options.renderMode || 'form';
-    data.component = this.component;
+    data.component = {
+      ...this.component,
+    };
+
+    // Escape HTML provided in component description and render it as a string instead
+    if (this.component.description) {
+      data.component.description = FormioUtils.escapeHTML(this.component.description);
+    }
+
     data.self = this;
     data.options = this.options;
     data.readOnly = this.options.readOnly;

diff --git a/src/utils/utils.js b/src/utils/utils.js
@@ -446,6 +446,22 @@ export function unescapeHTML(str) {
   return doc.documentElement.textContent;
 }
 
+/**
+ * Escape HTML characters like <, >, & and etc.
+ * @param str
+ * @returns {string}
+ */
+export function escapeHTML(html) {
+  if (html) {
+    return html.replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;');
+  }
+  return '';
+}
+
 /**
  * Make HTML element from string
  * @param str