From 0dd30cac21813ac1464edc4d04669fe851a8c61c Mon Sep 17 00:00:00 2001
From: Piotr Gawron <piotr.gawron@uni.lu>
Date: Fri, 30 Mar 2018 17:14:17 +0200
Subject: [PATCH] by default help button creation dosn't prevent xss

---
 .../src/main/js/gui/admin/AddProjectDialog.js       |  6 +++---
 frontend-js/src/main/js/gui/leftPanel/GuiUtils.js   | 13 ++++++++++---
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/frontend-js/src/main/js/gui/admin/AddProjectDialog.js b/frontend-js/src/main/js/gui/admin/AddProjectDialog.js
index aa790153ee..4953d18bfe 100644
--- a/frontend-js/src/main/js/gui/admin/AddProjectDialog.js
+++ b/frontend-js/src/main/js/gui/admin/AddProjectDialog.js
@@ -198,9 +198,9 @@ AddProjectDialog.prototype.createGeneralTabContent = function () {
     return self.setFileParserForFilename(file.name);
   });
 
-  var manualUrl = self.getConfiguration().getOption(ConfigurationType.USER_MANUAL_FILE);
-  table.appendChild(self.createRow([guiUtils.createLabel("Upload file: "), fileInput,
-    guiUtils.createHelpButton('File with the map. For a quick start, CellDesigner files are accepted directly. Available options and configurations of the source file are discussed in <a href="' + manualUrl + '">manual</a>.')]));
+  var manualUrl = self.getConfiguration().getOption(ConfigurationType.USER_MANUAL_FILE).getValue();
+  var help = 'File with the map. For a quick start, CellDesigner files are accepted directly. Available options and configurations of the source file are discussed in <a href="' + manualUrl + '">manual</a>.';
+  table.appendChild(self.createRow([guiUtils.createLabel("Upload file: "), fileInput, guiUtils.createHelpButton(help)]));
 
   var fileFormatSelect = Functions.createElement({
     type: "select",
diff --git a/frontend-js/src/main/js/gui/leftPanel/GuiUtils.js b/frontend-js/src/main/js/gui/leftPanel/GuiUtils.js
index a1011046ec..7dd3c7c4bd 100644
--- a/frontend-js/src/main/js/gui/leftPanel/GuiUtils.js
+++ b/frontend-js/src/main/js/gui/leftPanel/GuiUtils.js
@@ -9,7 +9,7 @@ var AbstractGuiElement = require('../AbstractGuiElement');
 var Functions = require('../../Functions');
 
 var logger = require('../../logger');
-var xss= require('xss');
+var xss = require('xss');
 
 var tabIdCounter = 0;
 
@@ -670,7 +670,13 @@ GuiUtils.prototype.createTab = function (params) {
   }
 };
 
-GuiUtils.prototype.createHelpButton = function (toolTip) {
+GuiUtils.prototype.createHelpButton = function (toolTip, useXss) {
+  var helpContent;
+  if (useXss) {
+    helpContent = xss(toolTip);
+  } else {
+    helpContent = toolTip;
+  }
 
   var helpTipButton = Functions.createElement({
     type: "button",
@@ -681,7 +687,8 @@ GuiUtils.prototype.createHelpButton = function (toolTip) {
   helpTipButton.onclick = function () {
     var helpDialogDiv = Functions.createElement({
       type: "div",
-      content: xss(toolTip)
+      content: helpContent,
+      xss: false
     });
     $(helpDialogDiv).dialog({
       close: function () {
-- 
GitLab