Skip to content

Commit 7f457c9

Browse files
committed
fix: apply same sanitize-render pattern to multiselect editable
Follow-up to the previous commit. The multiselect editable uses the same transformDocumentEditableStoreToOptions as the single select, so after switching the transform to return plain strings, its labels would render unsanitized without explicit render props. Wire the shared renderSanitizedLabel helper into labelRender and optionRender, restoring XSS protection for the multi-select case while keeping the built-in search filter working (optionFilterProp="label" against a plain string).
1 parent bc6669f commit 7f457c9

File tree

1 file changed

+3
-0
lines changed
  • assets/js/src/core/modules/element/dynamic-types/definitions/document/editable/components/multiselect-editable

1 file changed

+3
-0
lines changed

assets/js/src/core/modules/element/dynamic-types/definitions/document/editable/components/multiselect-editable/multiselect-editable.tsx

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import { Select } from '@sdk/components'
1313
import { InheritanceOverlay } from '../inheritance-overlay/inheritance-overlay'
1414
import { toCssDimension } from '@sdk/utils'
1515
import { type SelectOptionType } from '@sdk/modules/element'
16+
import { renderSanitizedLabel } from '../../utils/select-options'
1617
import { useFieldWidth } from '@Pimcore/modules/element/dynamic-types/definitions/objects/data-related/providers/field-width/use-field-width'
1718

1819
interface MultiSelectEditableProps {
@@ -54,9 +55,11 @@ export const MultiSelectEditable = ({
5455
<Select
5556
className={ className }
5657
disabled={ inherited }
58+
labelRender={ ({ label }) => renderSanitizedLabel(label) }
5759
mode="multiple"
5860
onChange={ onChange }
5961
optionFilterProp="label"
62+
optionRender={ (option) => renderSanitizedLabel(option.label) }
6063
options={ options }
6164
popupMatchSelectWidth={ false }
6265
style={ containerStyle }

0 commit comments

Comments
 (0)