Project

General

Profile

Actions

Task #102207

closed

Escape dynamic values in selector queries

Added by Benjamin Franzke about 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Should have
Category:
Backend JavaScript
Start date:
2023-10-19
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Whenever dynamic data is passed to query selectors, it needs to be escaped.

Example for a wrong example:

const baz = readFromSomeDynamicData(),
const foo = document.querySelector('foo[bar="' + baz + '"]');

Better/Correct:

const baz = readFromSomeDynamicData(),
const foo = document.querySelector('foo[bar="' + CSS.escape(baz) + '"]');

Ideal/Desired would be to use a string literal for syntax sugar reasons:

const baz = readFromSomeDynamicData(),
const foo = document.querySelector(selector`foo[bar="${baz]"]`);
Actions

Also available in: Atom PDF