Hi Harb, Does this pose a security risk? Well, in principle, the HTML is generated by the same bead with the text to be rendered (it adds CSS for the highlighting to be displayed). In an initial test, I tried including the sanitizeHTML function, but it removed the CSS rules, so it wasn’t usable.
Do you think this is a security concern? If so… how could I implement it differently? Hiedra. -----Mensaje original----- De: Harbs <harbs.li...@gmail.com> Enviado el: martes, 22 de julio de 2025 16:16 Para: Apache Royale Development <dev@royale.apache.org> Asunto: Re: (royale-asjs) branch develop updated: fix: use innerHTML instead of text in Jewel SearchFilterForList text doesn't render HTML, preventing styling with useDecoration. innerHTML enables proper CSS markup. Where is the contents of “txt” coming from. Is using innerHTML a security risk? > On Jul 22, 2025, at 5:35 AM, hie...@apache.org wrote: > > This is an automated email from the ASF dual-hosted git repository. > > hiedra pushed a commit to branch develop in repository > https://gitbox.apache.org/repos/asf/royale-asjs.git > > > The following commit(s) were added to refs/heads/develop by this push: > new 15edae07a8 fix: use innerHTML instead of text in Jewel > SearchFilterForList text doesn't render HTML, preventing styling with > useDecoration. innerHTML enables proper CSS markup. > 15edae07a8 is described below > > commit 15edae07a8ed5db132cb8cf55424004af73510c0 > Author: hiedra <mjest...@iest.com> > AuthorDate: Tue Jul 22 04:36:14 2025 +0200 > > fix: use innerHTML instead of text in Jewel SearchFilterForList > text doesn't render HTML, preventing styling with useDecoration. innerHTML > enables proper CSS markup. > > Closes #1253 > --- > .../jewel/beads/controls/textinput/SearchFilterForList.as | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git > a/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/be > ads/controls/textinput/SearchFilterForList.as > b/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/be > ads/controls/textinput/SearchFilterForList.as > index b684b84a7e..b91c4cd9d6 100644 > --- > a/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/be > ads/controls/textinput/SearchFilterForList.as > +++ b/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewe > +++ l/beads/controls/textinput/SearchFilterForList.as > @@ -36,6 +36,10 @@ package org.apache.royale.jewel.beads.controls.textinput > import > org.apache.royale.jewel.supportClasses.list.IListPresentationModel; > import org.apache.royale.jewel.supportClasses.textinput.TextInputBase; > import org.apache.royale.utils.sendEvent; > + COMPILE::JS > + { > + import org.apache.royale.core.UIBase; > + } > > /** > * The SearchFilterForList bead class is a specialty bead that can > be used with @@ -321,8 +325,13 @@ package > org.apache.royale.jewel.beads.controls.textinput > //decorate text > if(useDecoration) > { > - ir.text = "<span > style='display:contents;'>" + (filterText != "" ? decorateText(textData, > textData.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) > : textData ) + "</span>"; > - } > + var txt:String = "<span > style='display:contents;'>" + (filterText != "" ? decorateText(textData, > textData.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) > : textData ) + "</span>"; > + COMPILE::JS > + { > + var a:UIBase = ir as > UIBase; > + (ir as > UIBase).element.innerHTML = txt; > + } > + } > } else { > ir.visible = false; > } >
