Merge pull request from GHSA-5cr9-5jx3-2g39

avo-hq · Jun 5, 2023 · 7891c01 · 7891c01
1 parent d8ab4c1
commit 7891c01
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 7 deletions.
diff --git a/app/components/avo/alert_component.html.erb b/app/components/avo/alert_component.html.erb
@@ -10,7 +10,7 @@
       </div>
       <div class="ml-3 w-0 flex-1 pt-0.5">
         <p class="text-sm leading-5 font-semibold">
-          <%== message %>
+          <%= sanitize message %>
         </p>
       </div>
       <div class="ml-4 flex-shrink-0 flex items-center">

diff --git a/app/components/avo/field_wrapper_component.html.erb b/app/components/avo/field_wrapper_component.html.erb
@@ -24,13 +24,13 @@
           <div class="text-red-600 mt-2 text-sm"><%= record.errors.full_messages_for(field.id).to_sentence %></div>
         <% end %>
         <% if help.present? %>
-          <div class="text-gray-600 mt-2 text-sm"><%== help %></div>
+          <div class="text-gray-600 mt-2 text-sm"><%= sanitize help %></div>
         <% end %>
       <% end %>
     </div>
   </div>
   <% if params[:avo_debug].present? %>
     <!-- Raw value: -->
-    <!-- <%== field.value.inspect %> -->
+    <!-- <%= sanitize field.value.inspect %> -->
   <% end %>
 <% end %>
diff --git a/app/components/avo/fields/common/heading_component.html.erb b/app/components/avo/fields/common/heading_component.html.erb
@@ -3,7 +3,7 @@
     <% if empty %>
     <% elsif value.present? %>
       <% if as_html %>
-        <%== value %>
+        <%= sanitize value %>
       <% else %>
         <div class="font-semibold uppercase"><%= value %></div>
       <% end %>

diff --git a/app/components/avo/fields/trix_field/edit_component.html.erb b/app/components/avo/fields/trix_field/edit_component.html.erb
@@ -20,7 +20,7 @@
       },
       input: trix_id,
       placeholder: @field.placeholder do %>
-      <%== @field.value %>
+      <%= sanitize @field.value %>
     <% end %>
     <%= @form.text_area @field.id,
       class: classes("w-full hidden"),

diff --git a/app/components/avo/fields/trix_field/show_component.html.erb b/app/components/avo/fields/trix_field/show_component.html.erb
@@ -8,7 +8,7 @@
       <%= link_to t('avo.show_content'), 'javascript:void(0);', class: 'font-bold inline-block', data: { action: 'click->hidden-input#showContent' } %>
     <% end %>
     <div class="<%= content_classes %> " data-hidden-input-target="content">
-      <%== @field.value %>
+      <%= sanitize @field.value %>
     </div>
   </div>
 <% end %>
diff --git a/app/components/avo/index/field_wrapper_component.html.erb b/app/components/avo/index/field_wrapper_component.html.erb
@@ -19,6 +19,6 @@
   <% end %>
   <% if params[:avo_debug].present? %>
     <!-- Raw value: -->
-    <!-- <%== @field.value.inspect %> -->
+    <!-- <%= sanitize @field.value.inspect %> -->
   <% end %>
 <% end %>