Where is the contents of “txt” coming from. Is using innerHTML a security risk?
> On Jul 22, 2025, at 5:35 AM, hie...@apache.org wrote: > > This is an automated email from the ASF dual-hosted git repository. > > hiedra pushed a commit to branch develop > in repository https://gitbox.apache.org/repos/asf/royale-asjs.git > > > The following commit(s) were added to refs/heads/develop by this push: > new 15edae07a8 fix: use innerHTML instead of text in Jewel > SearchFilterForList text doesn't render HTML, preventing styling with > useDecoration. innerHTML enables proper CSS markup. > 15edae07a8 is described below > > commit 15edae07a8ed5db132cb8cf55424004af73510c0 > Author: hiedra <mjest...@iest.com> > AuthorDate: Tue Jul 22 04:36:14 2025 +0200 > > fix: use innerHTML instead of text in Jewel SearchFilterForList > text doesn't render HTML, preventing styling with useDecoration. innerHTML > enables proper CSS markup. > > Closes #1253 > --- > .../jewel/beads/controls/textinput/SearchFilterForList.as | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git > a/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/beads/controls/textinput/SearchFilterForList.as > > b/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/beads/controls/textinput/SearchFilterForList.as > index b684b84a7e..b91c4cd9d6 100644 > --- > a/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/beads/controls/textinput/SearchFilterForList.as > +++ > b/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/beads/controls/textinput/SearchFilterForList.as > @@ -36,6 +36,10 @@ package org.apache.royale.jewel.beads.controls.textinput > import > org.apache.royale.jewel.supportClasses.list.IListPresentationModel; > import org.apache.royale.jewel.supportClasses.textinput.TextInputBase; > import org.apache.royale.utils.sendEvent; > + COMPILE::JS > + { > + import org.apache.royale.core.UIBase; > + } > > /** > * The SearchFilterForList bead class is a specialty bead that can be > used with > @@ -321,8 +325,13 @@ package org.apache.royale.jewel.beads.controls.textinput > //decorate text > if(useDecoration) > { > - ir.text = "<span > style='display:contents;'>" + (filterText != "" ? decorateText(textData, > textData.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) > : textData ) + "</span>"; > - } > + var txt:String = "<span > style='display:contents;'>" + (filterText != "" ? decorateText(textData, > textData.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) > : textData ) + "</span>"; > + COMPILE::JS > + { > + var a:UIBase = ir as > UIBase; > + (ir as > UIBase).element.innerHTML = txt; > + } > + } > } else { > ir.visible = false; > } >
