Fixed html injection based on node content (#1849)

ArcadeData · Dec 2, 2024 · bd7fe63 · bd7fe63
1 parent 7184c22
commit bd7fe63
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/studio/src/main/resources/static/js/studio-graph-widget.js b/studio/src/main/resources/static/js/studio-graph-widget.js
@@ -570,7 +570,7 @@ function displaySelectedNode() {
     for (let p in data.properties) {
       let value = data.properties[p];
       if (Array.isArray(value) || typeof value === "object") value = JSON.stringify(value);
-      table += "<tr><td>" + p + "</td><td>" + value + "</td>";
+      table += "<tr><td>" + escapeHtml(p) + "</td><td>" + escapeHtml(value) + "</td>";
     }
 
     $("#graphPropertiesTable").html(table);
@@ -831,7 +831,7 @@ function displaySelectedEdge() {
     for (let p in data.properties) {
       let value = data.properties[p];
       if (Array.isArray(value) || typeof value === "object") value = JSON.stringify(value);
-      table += "<tr><td>" + p + "</td><td>" + value + "</td>";
+      table += "<tr><td>" + escapeHtml(p) + "</td><td>" + escapeHtml(value) + "</td>";
     }
     table += "</tbody>";