Actions
Task #102207
closed
Escape dynamic values in selector queries
Status:
Closed
Priority:
Should have
Assignee:
Category:
Backend JavaScript
Target version:
Start date:
2023-10-19
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
Whenever dynamic data is passed to query selectors, it needs to be escaped.
Example for a wrong example:
const baz = readFromSomeDynamicData(),
const foo = document.querySelector('foo[bar="' + baz + '"]');
Better/Correct:
const baz = readFromSomeDynamicData(),
const foo = document.querySelector('foo[bar="' + CSS.escape(baz) + '"]');
Ideal/Desired would be to use a string literal for syntax sugar reasons:
const baz = readFromSomeDynamicData(),
const foo = document.querySelector(selector`foo[bar="${baz]"]`);
Updated by 
Updated by Anonymous 
Updated by
Actions