(royale-asjs) branch develop updated: fix: sanitize textData and filterText in Jewel SearchFilterForList

[hiedra]

This is an automated email from the ASF dual-hosted git repository.

hiedra pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/royale-asjs.git


The following commit(s) were added to refs/heads/develop by this push:
     new 3072caf5ee fix: sanitize textData and filterText in Jewel 
SearchFilterForList
3072caf5ee is described below

commit 3072caf5ee8e42939a05b2d8d9543055c43189ab
Author: hiedra <mjest...@iest.com>
AuthorDate: Wed Jul 23 11:48:06 2025 +0200

    fix: sanitize textData and filterText in Jewel SearchFilterForList
---
 .../jewel/beads/controls/textinput/SearchFilterForList.as   | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git 
a/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/beads/controls/textinput/SearchFilterForList.as
 
b/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/beads/controls/textinput/SearchFilterForList.as
index b91c4cd9d6..3bacc880e0 100644
--- 
a/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/beads/controls/textinput/SearchFilterForList.as
+++ 
b/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/beads/controls/textinput/SearchFilterForList.as
@@ -39,6 +39,7 @@ package org.apache.royale.jewel.beads.controls.textinput
        COMPILE::JS
        {
                import org.apache.royale.core.UIBase;
+               import org.apache.royale.utils.string.sanitizeHtml;
        }
 
        /**
@@ -321,13 +322,15 @@ package org.apache.royale.jewel.beads.controls.textinput
                                        //stores the item if text is the same
                                        if(textData.toUpperCase() == 
filterText.toUpperCase())
                                                item = ir.data;
-
-                                       //decorate text
-                                       if(useDecoration)
+                                       
+                                       COMPILE::JS
                                        {
-                                               var txt:String = "<span 
style='display:contents;'>" + (filterText != "" ?  decorateText(textData, 
textData.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) : 
textData ) + "</span>";
-                                               COMPILE::JS
+                                               //decorate text
+                                               if(useDecoration)
                                                {
+                                                       var securetxt:String = 
sanitizeHtml(textData);
+                                                       var 
securefiltertxt:String = sanitizeHtml(filterText);
+                                                       var txt:String = "<span 
style='display:contents;'>" + (securefiltertxt != "" ?  decorateText(securetxt, 
securetxt.toUpperCase().indexOf(securefiltertxt.toUpperCase()), 
securefiltertxt.length) : securetxt ) + "</span>";
                                                        var a:UIBase = ir as 
UIBase;
                                                        (ir as 
UIBase).element.innerHTML = txt;
                                                }