From eefb65599b2f3ed02ad4fbf8808f2d1fbe1b0e52 Mon Sep 17 00:00:00 2001
From: Guanzhong Chen <quantum2048@gmail.com>
Date: Sat, 23 May 2020 23:47:46 -0400
Subject: [PATCH] Remove XSS vulnerabilities through poor select2 usage (#1398)

---
 templates/contest/ranking.html | 17 +++++++++++------
 templates/problem/submit.html  |  5 +----
 templates/ticket/list.html     |  3 ---
 templates/user/base-users.html |  3 ---
 4 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/templates/contest/ranking.html b/templates/contest/ranking.html
index 2ed662fd98..a9c4c115cf 100644
--- a/templates/contest/ranking.html
+++ b/templates/contest/ranking.html
@@ -222,12 +222,17 @@
                     url: '{{ url('contest_user_search_select2_ajax', contest.key) }}'
                 },
                 minimumInputLength: 1,
-                escapeMarkup: function (markup) {
-                    return markup;
-                },
-                templateResult: function (data, container) {
-                    return ('<img class="user-search-image" src="' + data.gravatar_url + '" width="24" height="24">' +
-                        '<span class="' + data.display_rank + ' user-search-name">' + data.text + '</span>');
+                templateResult: function (data) {
+                    return $('<span>')
+                        .append($('<img>', {
+                            class: 'user-search-image',
+                            src: data.gravatar_url,
+                            width: 24,
+                            height: 24,
+                        }))
+                        .append($('<span>', {
+                            class: data.display_rank + ' user-search-name',
+                        }).text(data.text));
                 }
             }).on('change', function () {
                 window.location.href = url.replace('__username__', $(this).val());
diff --git a/templates/problem/submit.html b/templates/problem/submit.html
index d4afb402d9..e58fdaea0f 100644
--- a/templates/problem/submit.html
+++ b/templates/problem/submit.html
@@ -47,7 +47,7 @@
                 function formatSelection(state) {
                     if (!state.id) return state.text; // optgroup
                     var data = makeDisplayData($("option[data-id=" + state.id + "]"));
-                    return "<b>" + state.text + "</b> (" + data + ")";
+                    return $('<span>').append($('<b>').text(state.text), ' (', data, ')');
                 }
 
                 // Terrible hack, adapted from https://github.com/select2/select2/issues/4436
@@ -71,9 +71,6 @@
                 $("#id_language").select2({
                     templateResult: format,
                     templateSelection: formatSelection,
-                    escapeMarkup: function (m) {
-                        return m;
-                    },
                     resultsAdapter: customAdapter
                 });
 
diff --git a/templates/ticket/list.html b/templates/ticket/list.html
index d9f0bd4fea..e863ae6017 100644
--- a/templates/ticket/list.html
+++ b/templates/ticket/list.html
@@ -167,9 +167,6 @@
             };
 
             var user_select2 = {
-                escapeMarkup: function (markup) {
-                    return markup;
-                },
                 templateResult: function (data, container) {
                     return $('<span>')
                         .append($('<img>', {
diff --git a/templates/user/base-users.html b/templates/user/base-users.html
index 7ea170341c..d74897431e 100644
--- a/templates/user/base-users.html
+++ b/templates/user/base-users.html
@@ -16,9 +16,6 @@
                     url: '{{ url('user_search_select2_ajax') }}'
                 },
                 minimumInputLength: 1,
-                escapeMarkup: function (markup) {
-                    return markup;
-                },
                 templateResult: function (data, container) {
                     return $('<span>')
                         .append($('<img>', {