From db88156dff24f58c96706bc350ec97b7f5341c86 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 23 Dec 2021 17:06:09 +0100
Subject: [PATCH] luci-base: form.js: do not execute embedded script code in
 stripTags()

Instead of relying on .innerHTML which executes embedded script code to
parse a given HTML fragment, use dom.parse() which utilizies DOMParser()
internally in order to extract textContent in a safe manner.

Fixes: FS#4199
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4199
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 993151504e8e810c083d3257555bdcdc2f00673a)
---
 modules/luci-base/htdocs/luci-static/resources/form.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/luci-base/htdocs/luci-static/resources/form.js b/modules/luci-base/htdocs/luci-static/resources/form.js
index 4016007742..b0deea8e8f 100644
--- a/modules/luci-base/htdocs/luci-static/resources/form.js
+++ b/modules/luci-base/htdocs/luci-static/resources/form.js
@@ -287,7 +287,8 @@ var CBIAbstractElement = baseclass.extend(/** @lends LuCI.form.AbstractElement.p
 		if (typeof(s) == 'string' && !s.match(/[<>]/))
 			return s;
 
-		var x = E('div', {}, s);
+		var x = dom.parse('<div>' + s + '</div>');
+
 		return x.textContent || x.innerText || '';
 	},
 
-- 
2.30.2