[Security] IBX-10200: Fix XSS in reschedule/cancel-schedule modal

tischsoic · web-flow · commit da3bfbfbc47d · 2025-10-16T12:34:47.000+02:00
diff --git a/src/bundle/Resources/public/js/scripts/fieldType/ezimageasset.js b/src/bundle/Resources/public/js/scripts/fieldType/ezimageasset.js
@@ -155,7 +155,7 @@
             previewImg.classList.toggle('d-none', image === null);
             previewAlt.value = image.alternativeText;
             previewActionPreview.setAttribute('href', destinationLocationUrl);
-            assetNameContainer.innerHTML = destinationContentName;
+            assetNameContainer.innerText = destinationContentName;
             assetNameContainer.setAttribute('href', destinationLocationUrl);
 
             this.inputDestinationContentId.value = destinationContentId;
diff --git a/src/bundle/Resources/public/js/scripts/helpers/dom.helper.js b/src/bundle/Resources/public/js/scripts/helpers/dom.helper.js
@@ -14,9 +14,14 @@
         node.insertAdjacentHTML(position, escapedText);
     };
 
+    const dangerouslyAppend = (node, nodeOrText) => {
+        node.append(nodeOrText);
+    };
+
     eZ.addConfig('helpers.dom', {
         safelySetInnerHTML,
         dangerouslySetInnerHTML,
         dangerouslyInsertAdjacentHTML,
+        dangerouslyAppend,
     });
 })(window, window.document, window.eZ);
