diff --git a/static/js/components/SidebarManager.js b/static/js/components/SidebarManager.js index 6c53dd28..a4805dce 100644 --- a/static/js/components/SidebarManager.js +++ b/static/js/components/SidebarManager.js @@ -7,6 +7,7 @@ import { translate } from '../utils/i18nHelpers.js'; import { state } from '../state/index.js'; import { bulkManager } from '../managers/BulkManager.js'; import { showToast } from '../utils/uiHelpers.js'; +import { escapeHtml, escapeAttribute } from './shared/utils.js'; export class SidebarManager { constructor() { @@ -1294,15 +1295,19 @@ export class SidebarManager { const isExpanded = this.expandedNodes.has(currentPath); const isSelected = this.selectedPath === currentPath; + const escapedPath = escapeAttribute(currentPath); + const escapedFolderName = escapeHtml(folderName); + const escapedTitle = escapeAttribute(folderName); + return ` -
-
+
+
-
${folderName}
+
${escapedFolderName}
${hasChildren ? `
@@ -1342,12 +1347,15 @@ export class SidebarManager { const foldersHtml = this.foldersList.map(folder => { const displayName = folder === '' ? '/' : folder; const isSelected = this.selectedPath === folder; + const escapedPath = escapeAttribute(folder); + const escapedDisplayName = escapeHtml(displayName); + const escapedTitle = escapeAttribute(displayName); return ` -
-
+
+
-
${displayName}
+
${escapedDisplayName}
`; @@ -1570,7 +1578,8 @@ export class SidebarManager { // Add selection to current path if (this.selectedPath !== null && this.selectedPath !== undefined) { - const selectedItem = folderTree.querySelector(`[data-path="${this.selectedPath}"]`); + const escapedPathSelector = CSS.escape(this.selectedPath); + const selectedItem = folderTree.querySelector(`[data-path="${escapedPathSelector}"]`); if (selectedItem) { selectedItem.classList.add('selected'); } @@ -1581,7 +1590,8 @@ export class SidebarManager { }); if (this.selectedPath !== null && this.selectedPath !== undefined) { - const selectedNode = folderTree.querySelector(`[data-path="${this.selectedPath}"] .sidebar-tree-node-content`); + const escapedPathSelector = CSS.escape(this.selectedPath); + const selectedNode = folderTree.querySelector(`[data-path="${escapedPathSelector}"] .sidebar-tree-node-content`); if (selectedNode) { selectedNode.classList.add('selected'); this.expandPathParents(this.selectedPath); @@ -1655,7 +1665,7 @@ export class SidebarManager { const breadcrumbs = [`
- ${this.apiClient.apiConfig.config.displayName} root + ${escapeHtml(this.apiClient.apiConfig.config.displayName)} root
`]; @@ -1675,8 +1685,8 @@ export class SidebarManager {
${nextLevelFolders.map(folder => ` -
- ${folder} +
+ ${escapeHtml(folder)}
`).join('') }
@@ -1692,12 +1702,14 @@ export class SidebarManager { // Get siblings for this level const siblings = this.getSiblingFolders(parts, index); + const escapedCurrentPath = escapeAttribute(currentPath); + const escapedPart = escapeHtml(part); breadcrumbs.push(`/`); breadcrumbs.push(`
- - ${part} + + ${escapedPart} ${siblings.length > 1 ? ` @@ -1706,11 +1718,14 @@ export class SidebarManager { ${siblings.length > 1 ? `
- ${siblings.map(folder => ` -
- ${folder} -
`).join('') + ${siblings.map(folder => { + const siblingPath = parts.slice(0, index).concat(folder).join('/'); + return ` +
+ ${escapeHtml(folder)} +
`; + }).join('') }
` : ''} @@ -1732,8 +1747,8 @@ export class SidebarManager {
${childFolders.map(folder => ` -
- ${folder} +
+ ${escapeHtml(folder)}
`).join('') }