From d494684b3f7d0de60af7cd1028887a2314a79e73 Mon Sep 17 00:00:00 2001
From: alexandraRamanenka <sasha@form.io>
Date: Wed, 25 Oct 2023 14:46:32 +0300
Subject: [PATCH 1/2] FIO-7466: Fixed an issue where code inside
 tolltips/descriptions will be executed

---
 .../_classes/component/Component.js           |  2 +-
 .../_classes/component/Component.unit.js      | 15 ++++++++++++
 .../_classes/component/fixtures/comp5.js      | 24 +++++++++++++++++++
 .../_classes/component/fixtures/index.js      |  3 ++-
 4 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 src/components/_classes/component/fixtures/comp5.js

diff --git a/src/components/_classes/component/Component.js b/src/components/_classes/component/Component.js
index c64abaa4eb..1e15ff96ef 100644
--- a/src/components/_classes/component/Component.js
+++ b/src/components/_classes/component/Component.js
@@ -1223,7 +1223,7 @@ export default class Component extends Element {
           placement: 'right',
           zIndex: 10000,
           interactive: true,
-          content: this.t(tooltipText, { _userInput: true }),
+          content: this.t(this.sanitize(tooltipText), { _userInput: true }),
         });
       }
     });
diff --git a/src/components/_classes/component/Component.unit.js b/src/components/_classes/component/Component.unit.js
index 7726f1b97c..5b44442ded 100644
--- a/src/components/_classes/component/Component.unit.js
+++ b/src/components/_classes/component/Component.unit.js
@@ -9,6 +9,7 @@ import { comp1 } from './fixtures';
 import _merge from 'lodash/merge';
 import comp3 from './fixtures/comp3';
 import comp4 from './fixtures/comp4';
+import comp5 from './fixtures/comp5';
 
 describe('Component', () => {
   it('Should create a Component', (done) => {
@@ -356,4 +357,18 @@ describe('Component', () => {
       .catch(done);
     });
   });
+
+  it('Should not execute code inside Tooltips/Description', (done) => {
+    const formElement = document.createElement('div');
+    const form = new Webform(formElement);
+
+    form.setForm(comp5).then(() => {
+      setTimeout(() => {
+        console.log(form.components[0].element);
+        assert.equal(window._ee, undefined, 'Should not execute code inside Tooltips/Description');
+        done();
+      }, 200);
+    })
+      .catch(done);
+  });
 });
diff --git a/src/components/_classes/component/fixtures/comp5.js b/src/components/_classes/component/fixtures/comp5.js
new file mode 100644
index 0000000000..68806c95d7
--- /dev/null
+++ b/src/components/_classes/component/fixtures/comp5.js
@@ -0,0 +1,24 @@
+export default {
+  type: 'form',
+  display: 'form',
+  components: [
+    {
+      label: 'Text Field',
+      description: "<img <img src='https://somesite' onerror='var _ee = 2' >",
+      tooltip: "<img src='https://somesite' onerror='var _ee = 1 >",
+      applyMaskOn: 'change',
+      tableView: true,
+      key: 'textField',
+      type: 'textfield',
+      input: true
+    },
+    {
+      type: 'button',
+      label: 'Submit',
+      key: 'submit',
+      disableOnInvalid: true,
+      input: true,
+      tableView: false
+    }
+  ],
+};
diff --git a/src/components/_classes/component/fixtures/index.js b/src/components/_classes/component/fixtures/index.js
index f1a58d4b03..e6e320dd66 100644
--- a/src/components/_classes/component/fixtures/index.js
+++ b/src/components/_classes/component/fixtures/index.js
@@ -2,4 +2,5 @@ import comp1 from './comp1';
 import comp2 from './comp2';
 import comp3 from './comp3';
 import comp4 from './comp4';
-export { comp1, comp2, comp3, comp4 };
+import comp5 from './comp5';
+export { comp1, comp2, comp3, comp4, comp5 };

From c3647d44d0bd6983c6e509619701e845d2f9c7ac Mon Sep 17 00:00:00 2001
From: alexandraRamanenka <sasha@form.io>
Date: Wed, 25 Oct 2023 15:40:15 +0300
Subject: [PATCH 2/2] Removed console.log

---
 src/components/_classes/component/Component.unit.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/components/_classes/component/Component.unit.js b/src/components/_classes/component/Component.unit.js
index 5b44442ded..46606065f2 100644
--- a/src/components/_classes/component/Component.unit.js
+++ b/src/components/_classes/component/Component.unit.js
@@ -364,7 +364,6 @@ describe('Component', () => {
 
     form.setForm(comp5).then(() => {
       setTimeout(() => {
-        console.log(form.components[0].element);
         assert.equal(window._ee, undefined, 'Should not execute code inside Tooltips/Description');
         done();
       }, 200);