Skip to content

fix(pickers,RangeSlider,Autocomplete): route config strings through the sanitizer#596

Merged
mrholek merged 1 commit into
mainfrom
fix/sanitizer-bypass-config-strings
Jul 6, 2026
Merged

fix(pickers,RangeSlider,Autocomplete): route config strings through the sanitizer#596
mrholek merged 1 commit into
mainfrom
fix/sanitizer-bypass-config-strings

Conversation

@mrholek

@mrholek mrholek commented Jul 5, 2026

Copy link
Copy Markdown
Member

Security hardening — route config strings through the sanitizer

Several developer-config strings were written to innerHTML while skipping the component's own sanitizer/escaping:

  • RangeSlider tooltip update path (the init path already sanitized — this aligns them).
  • Autocomplete searchNoResultsLabel (the multi-select equivalent already used textContent).
  • TimePicker / DateRangePicker footer buttons, and DateRangePicker ranges keys.
  • Calendar weekNumbersLabel and the navigation aria-label attributes.

Fix

Sanitize (RangeSlider) or set via textContent / HTML-escape (others) so these config values can no longer inject markup. Lower severity (developer-controlled config), defense-in-depth. Regression tests added.

@coveralls

coveralls commented Jul 5, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 28759380993

Coverage increased (+0.02%) to 94.623%

Details

  • Coverage increased (+0.02%) from the base build.
  • Patch coverage: 8 of 8 lines across 4 files are fully covered (100%).
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 7438
Covered Lines: 7164
Line Coverage: 96.32%
Relevant Branches: 3070
Covered Branches: 2779
Branch Coverage: 90.52%
Branches in Coverage %: Yes
Coverage Strength: 762.83 hits per line

💛 - Coveralls

@mrholek
mrholek force-pushed the fix/sanitizer-bypass-config-strings branch from cf283f1 to 320a517 Compare July 5, 2026 23:54
@mrholek
mrholek changed the base branch from main to refactor/shared-sanitizer-utils July 5, 2026 23:54
…he sanitizer

Several developer-config strings were written to innerHTML while skipping the
component's own sanitizer/escaping:
- RangeSlider tooltip update path (init path already sanitized)
- Autocomplete searchNoResultsLabel (multi-select already used textContent)
- TimePicker / DateRangePicker footer buttons and DateRangePicker ranges keys
- Calendar weekNumbersLabel and navigation aria-label attributes

Sanitize (RangeSlider) or set via textContent / HTML-escape (others) so config
can no longer inject markup.
@mrholek
mrholek force-pushed the fix/sanitizer-bypass-config-strings branch from 320a517 to f8e56d8 Compare July 5, 2026 23:58
@mrholek
mrholek changed the base branch from refactor/shared-sanitizer-utils to main July 5, 2026 23:58
@mrholek
mrholek merged commit bc4daf1 into main Jul 6, 2026
6 of 8 checks passed
@mrholek
mrholek deleted the fix/sanitizer-bypass-config-strings branch July 6, 2026 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants