The specific problem mentioned here of the overlay firing the alert is in the lazr-js picker. Attaching a first pass at a patch, just to demonstrate the area of the code that needs looking at. However, I think the patch should be extended and the picker should be looked over carefully as I am sure there are other areas where createTextNode should be used to safely escape the json data being inserted.
The specific problem mentioned here of the overlay firing the alert is in the lazr-js picker. Attaching a first pass at a patch, just to demonstrate the area of the code that needs looking at. However, I think the patch should be extended and the picker should be looked over carefully as I am sure there are other areas where createTextNode should be used to safely escape the json data being inserted.