From f3b3d233614400573a3daca2911988bbbec4ef9f Mon Sep 17 00:00:00 2001
From: Mike Bender <mikebender@deephaven.io>
Date: Fri, 7 Feb 2025 16:24:31 -0500
Subject: [PATCH] fix: Don't use HTML in panel titles, treat as text (#2365)

- Golden Layout was setting the title in panel titles with `.html()`
method, which allows remote code execution, and potentially could craft
a notebook with a malicious name that could run arbitrary JS
- Instead just use `.text` and treat it like text, as we should.
- Tested on DHC - created a notebook with the name `<img src=q
onerror=prompt(1)>.py`. It now appears correctly as text and does not
pop up an alert message. Also verified that title still appears in
italics when in "preview" mode.
- Fixes DH-18645
---
 packages/golden-layout/src/controls/DragProxy.ts | 2 +-
 packages/golden-layout/src/controls/Tab.ts       | 2 +-
 packages/golden-layout/test/title-tests.js       | 5 ++---
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/packages/golden-layout/src/controls/DragProxy.ts b/packages/golden-layout/src/controls/DragProxy.ts
index 00cf6c4a64..f2b1d0d8fc 100644
--- a/packages/golden-layout/src/controls/DragProxy.ts
+++ b/packages/golden-layout/src/controls/DragProxy.ts
@@ -90,7 +90,7 @@ export default class DragProxy extends EventEmitter {
       'title',
       stripTags(this._contentItem.config.title ?? '')
     );
-    this.element.find('.lm_title').html(this._contentItem.config.title ?? '');
+    this.element.find('.lm_title').text(this._contentItem.config.title ?? '');
     this.childElementContainer = this.element.find('.lm_content');
     this.childElementContainer.append(contentItem.element);
 
diff --git a/packages/golden-layout/src/controls/Tab.ts b/packages/golden-layout/src/controls/Tab.ts
index 0704e9cdb9..245399d15a 100644
--- a/packages/golden-layout/src/controls/Tab.ts
+++ b/packages/golden-layout/src/controls/Tab.ts
@@ -98,7 +98,7 @@ export default class Tab {
   setTitle(title = '') {
     // Disabling for illumon project, we want to manage our own tooltips
     // this.element.attr( 'title', lm.utils.stripTags( title ) );
-    this.titleElement.html(title);
+    this.titleElement.text(title);
   }
 
   /**
diff --git a/packages/golden-layout/test/title-tests.js b/packages/golden-layout/test/title-tests.js
index ca9a4f9c9e..e837e741a9 100644
--- a/packages/golden-layout/test/title-tests.js
+++ b/packages/golden-layout/test/title-tests.js
@@ -66,12 +66,11 @@ describe('content items are abled to to emit events that bubble up the tree', fu
   it('supports html in title', function () {
     itemWithTitle.container.setTitle('title <b>with</b> html');
     expect(stack.header.tabs[0].element.find('.lm_title').html()).toBe(
-      'title <b>with</b> html'
+      'title &lt;b&gt;with&lt;/b&gt; html'
     );
     expect(stack.header.tabs[0].element.find('.lm_title').text()).toBe(
-      'title with html'
+      'title <b>with</b> html'
     );
-    // expect( stack.header.tabs[ 0 ].element.attr( 'title' ) ).toBe( 'title with html' );
   });
 
   it('destroys the layout', function () {