Merge pull request #4567 from epam/3843-system-doesnot-filter-out-and…

…-do-execute-html-tags-and-javascript-in-custom-query-feature-text

#3843 - System doesn't filter out and do execute html tags and javascript in custom query feature text

packages/ketcher-core/src/application/render/restruct/reatom.ts

@@ -758,8 +758,8 @@ function getOnlyQueryAttributesCustomQuery(atom: Atom) {
 }
 
 function addTooltip(node, text: string) {
-  const tooltip = `<p>${text.split(/(?<=[;,])/).join(' ')}</p>`;
-  node.childNodes[0].setAttribute('data-tooltip', tooltip);
+  const tooltip = text.split(/(?<=[;,])/).join(' ');
+  node.childNodes[0].setAttribute('data-tooltip', util.escapeHtml(tooltip));
 }
 
 function buildLabel(

packages/ketcher-core/src/application/render/restruct/rebond.ts

@@ -1298,7 +1298,11 @@ function getBondMark(
   if (bond.b.type === Bond.PATTERN.TYPE.TRIPLE) fixed += options.bondSpace;
   const p = c.add(new Vec2(n.x * (s.x + fixed), n.y * (s.y + fixed)));
   const path = draw.bondMark(render.paper, p, mark, options);
-  tooltip && path.node.childNodes[0].setAttribute('data-tooltip', tooltip);
+  tooltip &&
+    path.node.childNodes[0].setAttribute(
+      'data-tooltip',
+      util.escapeHtml(tooltip),
+    );
 
   return path;
 }

packages/ketcher-core/src/application/render/util.ts

@@ -200,12 +200,18 @@ function updateHalfBondCoordinates(
 
   return [hb1, hb2];
 }
+
+function escapeHtml(str) {
+  return str.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+
 const util = {
   relBox,
   shiftRayBox,
   calcCoordinates,
   drawCIPLabel,
   updateHalfBondCoordinates,
+  escapeHtml,
 };
 
 export default util;