diff --git a/src/components/_classes/component/Component.js b/src/components/_classes/component/Component.js index 0cd636b903..34f5122939 100644 --- a/src/components/_classes/component/Component.js +++ b/src/components/_classes/component/Component.js @@ -959,7 +959,15 @@ export default class Component extends Element { renderTemplate(name, data = {}, modeOption) { // Need to make this fall back to form if renderMode is not found similar to how we search templates. const mode = modeOption || this.options.renderMode || 'form'; - data.component = this.component; + data.component = { + ...this.component, + }; + + // Escape HTML provided in component description and render it as a string instead + if (this.component.description) { + data.component.description = FormioUtils.escapeHTML(this.component.description); + } + data.self = this; data.options = this.options; data.readOnly = this.options.readOnly; diff --git a/src/utils/utils.js b/src/utils/utils.js index d308e8d313..25a4bfe3ee 100644 --- a/src/utils/utils.js +++ b/src/utils/utils.js @@ -446,6 +446,22 @@ export function unescapeHTML(str) { return doc.documentElement.textContent; } +/** + * Escape HTML characters like <, >, & and etc. + * @param str + * @returns {string} + */ +export function escapeHTML(html) { + if (html) { + return html.replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, '''); + } + return ''; +} + /** * Make HTML element from string * @param str