Merge pull request #5941 from wenzhixin/fix/cve-security

Fixed CVE security problem

src/extensions/filter-control/utils.js

@@ -34,7 +34,7 @@ export function existOptionInSelectControl (selectControl, value) {
   const options = getOptionsFromSelectControl(selectControl)
 
   for (let i = 0; i < options.length; i++) {
-    if (options[i].value === Utils.unescapeHTML(value.toString())) {
+    if (options[i].value === Utils.unescapeHTML(value)) {
       // The value is not valid to add
       return true
     }

src/utils/index.js

@@ -206,29 +206,27 @@ export default {
   },
 
   escapeHTML (text) {
-    if (typeof text === 'string') {
+    if (!text) {
       return text
-        .replace(/&/g, '&')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#039;')
-        .replace(/`/g, '&#x60;')
     }
-    return text
+    return text.toString()
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;')
   },
 
   unescapeHTML (text) {
-    if (typeof text === 'string') {
+    if (!text) {
       return text
-        .replace(/&amp;/g, '&')
-        .replace(/&lt;/g, '<')
-        .replace(/&gt;/g, '>')
-        .replace(/&quot;/g, '"')
-        .replace(/&#039;/g, '\'')
-        .replace(/&#x60;/g, '`')
     }
-    return text
+    return text.toString()
+      .replace(/&amp;/g, '&')
+      .replace(/&lt;/g, '<')
+      .replace(/&gt;/g, '>')
+      .replace(/&quot;/g, '"')
+      .replace(/&#39;/g, '\'')
   },
 
   getRealDataAttr (dataAttr) {