From 4e8ef71bdb5983eace758b9336ef5ecba8b207b1 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Mon, 6 Jul 2020 19:47:31 +0530
Subject: [PATCH] Fixes vulnerable picklist values in layout editor

---
 .../modules/Settings/LayoutEditor/resources/LayoutEditor.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/layouts/v7/modules/Settings/LayoutEditor/resources/LayoutEditor.js b/layouts/v7/modules/Settings/LayoutEditor/resources/LayoutEditor.js
index 0b70ee704..603295ad4 100644
--- a/layouts/v7/modules/Settings/LayoutEditor/resources/LayoutEditor.js
+++ b/layouts/v7/modules/Settings/LayoutEditor/resources/LayoutEditor.js
@@ -537,6 +537,12 @@ Vtiger.Class('Settings_LayoutEditor_Js', {
 
 			for (var i in fieldOptions) {
 				var fieldValue = fieldOptions[i];
+                                var specialChars = /[<\>\"\,\[\]\{\}]/; 
+                                if (specialChars.test(fieldValue)) { 
+                                    var message = app.vtranslate('JS_SPECIAL_CHARACTERS') + " < > \" , [ ] { } " + app.vtranslate('JS_NOT_ALLOWED'); 
+                                    vtUtils.showValidationMessage(element, message, {container:data}); 
+                                    return false; 
+                                }
 				var fieldValueOption = defaultOptions.filter('[value="'+fieldValue+'"]');
 				if (fieldValueOption.length <= 0) {
 					newOptions += ' <option value="'+fieldValue+'">'+fieldValue+'</option> ';
-- 
GitLab