ExtJS 7.1 标签字段正在执行 XSS 标签

ExtJS 7.1 Tag field is executing XSS tag

我在输入 时遇到关于标签域组件的问题。该标签在输入完整值后执行。我已经尝试阻止在 keyup、keypress、keydown 和 beforequery 事件上执行标记,但它仍在执行。此代码块在检测到 XSS 标记时阻止事件执行。

    Ext.application({
    name: 'Fiddle',

    launch: function () {

        var shows = Ext.create('Ext.data.Store', {
            fields: ['id', 'show'],
            data: []
        });

        Ext.create('Ext.form.Panel', {
            renderTo: Ext.getBody(),
            title: 'Sci-Fi Television',
            height: 200,
            width: 500,
            items: [{
                xtype: 'tagfield',
                itemId: 'tagField',
                fieldLabel: 'Select a Show',
                store: shows,
                displayField: 'show',
                valueField: 'id',
                queryMode: 'local',
                filterPickList: false,
                listeners: {
                    beforequery: function () {
                        var editor = Ext.ComponentQuery.query('#tagField')[0];
                        if (editor.inputEl.getValue().search(new RegExp('(<([^>]+)>)')) >= 0) {
                            editor.inputEl.dom.value = '';
                            return false;
                        }
                    },
                    keypress: function (textfield, event) {
                        var editor = Ext.ComponentQuery.query('#tagField')[0];
                        if (editor.inputEl.getValue().search(new RegExp('(<([^>]+)>)')) >= 0) {
                            editor.inputEl.dom.value = '';
                            return false;
                        }
                    },
                    keydown: function (textfield, event) {
                        var editor = Ext.ComponentQuery.query('#tagField')[0];
                        if (editor.inputEl.getValue().search(new RegExp('(<([^>]+)>)')) >= 0) {
                            editor.inputEl.dom.value = '';
                            return false;
                        }
                    },
                }
            }]
        });

    }
});

enter image description here

这花了一点时间来寻找,但显然在 Ext.form.field.ComboBox 中,有一个 onFieldMutation 处理程序确实是所有这一切的关键。看看 this Fiddle 和负责处理这个问题的代码......我相信这就是你要找的:

Ext.define('ComboOverride', {
  override: 'Ext.form.field.ComboBox',

  onFieldMutation: function (e) {
    var inputDom = this.inputEl.dom;
    if (Ext.String.hasHtmlCharacters(inputDom.value)) {
      inputDom.value = '';
      alert('XSS Detected, Removing');
    }
    return this.callParent(arguments);
  }
});