fix(pickers,RangeSlider,Autocomplete): route config strings through the sanitizer#596
Merged
Merged
Conversation
Coverage Report for CI Build 28759380993Coverage increased (+0.02%) to 94.623%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats💛 - Coveralls |
mrholek
force-pushed
the
fix/sanitizer-bypass-config-strings
branch
from
July 5, 2026 23:54
cf283f1 to
320a517
Compare
…he sanitizer Several developer-config strings were written to innerHTML while skipping the component's own sanitizer/escaping: - RangeSlider tooltip update path (init path already sanitized) - Autocomplete searchNoResultsLabel (multi-select already used textContent) - TimePicker / DateRangePicker footer buttons and DateRangePicker ranges keys - Calendar weekNumbersLabel and navigation aria-label attributes Sanitize (RangeSlider) or set via textContent / HTML-escape (others) so config can no longer inject markup.
mrholek
force-pushed
the
fix/sanitizer-bypass-config-strings
branch
from
July 5, 2026 23:58
320a517 to
f8e56d8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security hardening — route config strings through the sanitizer
Several developer-config strings were written to
innerHTMLwhile skipping the component's own sanitizer/escaping:searchNoResultsLabel(the multi-select equivalent already usedtextContent).rangeskeys.weekNumbersLabeland the navigationaria-labelattributes.Fix
Sanitize (RangeSlider) or set via
textContent/ HTML-escape (others) so these config values can no longer inject markup. Lower severity (developer-controlled config), defense-in-depth. Regression tests added.