From d5a11bae015b4b95f77bbd523ce0112106483511 Mon Sep 17 00:00:00 2001
From: Mingsong Hu <mingsonghu@macbook-pro.lan>
Date: Wed, 23 Feb 2022 08:11:29 +1100
Subject: [PATCH] Fix the bug for tree node label

---
 src/Controller/EntityReferenceTreeController.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Controller/EntityReferenceTreeController.php b/src/Controller/EntityReferenceTreeController.php
index 7656ea2..bb8ca2f 100644
--- a/src/Controller/EntityReferenceTreeController.php
+++ b/src/Controller/EntityReferenceTreeController.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\entity_reference_tree\Controller;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Form\FormBuilder;
 use Symfony\Component\DependencyInjection\ContainerInterface;
@@ -111,7 +112,10 @@ class EntityReferenceTreeController extends ControllerBase {
         // An array in JavaScript is indexed list.
         // JavaScript's array indices are always sequential
         // and start from 0.
-        $entityNodeAry[] = $treeBuilder->createTreeNode($entity);
+        $treeNode = $treeBuilder->createTreeNode($entity);
+        // Applies a very permissive XSS/HTML filter for node text.
+        $treeNode['text'] = Xss::filterAdmin($treeNode['text']);
+        $entityNodeAry[] = $treeNode;
       }
     }
 
-- 
GitLab