From 9a3f401b38e86e2f9e7fa722698a437d853b422e Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gregor.kleen@ifi.lmu.de>
Date: Wed, 20 Jan 2021 09:52:08 +0100
Subject: [PATCH] fix(mass-input): properly escape query selector

---
 frontend/src/app.js                         | 2 ++
 frontend/src/utils/mass-input/mass-input.js | 2 +-
 package-lock.json                           | 5 +++++
 package.json                                | 1 +
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/frontend/src/app.js b/frontend/src/app.js
index 66a9760b9..3cf868dc1 100644
--- a/frontend/src/app.js
+++ b/frontend/src/app.js
@@ -4,6 +4,8 @@ import { I18n } from './services/i18n/i18n';
 import { UtilRegistry } from './services/util-registry/util-registry';
 import { isValidUtility } from './core/utility';
 
+import 'css.escape';
+
 import './app.sass';
 
 export class App {
diff --git a/frontend/src/utils/mass-input/mass-input.js b/frontend/src/utils/mass-input/mass-input.js
index 6eac39000..aaa5f7d0c 100644
--- a/frontend/src/utils/mass-input/mass-input.js
+++ b/frontend/src/utils/mass-input/mass-input.js
@@ -230,7 +230,7 @@ export class MassInput {
     const extraneousKeys = new Set();
     for (const k of rawFormData.keys()) {
       const n = k.replace(/\[\]$/, '');
-      const inputElements = Array.from(this._massInputForm.querySelectorAll(`[name=${n}]`));
+      const inputElements = Array.from(this._massInputForm.querySelectorAll(`[name="${CSS.escape(n)}"]`));
       const isBelowMassinput = inputElements.some((elem) => this._element.contains(elem));
       const isFile = inputElements.some((elem) => elem.type === 'file');
 
diff --git a/package-lock.json b/package-lock.json
index e88bacdf4..0d1379a39 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -7069,6 +7069,11 @@
       "integrity": "sha512-a+EPoD+uZiNfh+5fxw2nO9QwFa6nJe2Or35fGY6Ipw1R3R4AGz1d1TEZrCegvw2YTmZ0jXirGYlzxxpYSHwpEg==",
       "dev": true
     },
+    "css.escape": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/css.escape/-/css.escape-1.5.1.tgz",
+      "integrity": "sha1-QuJ9T6BK4y+TGktNQZH6nN3ul8s="
+    },
     "cssdb": {
       "version": "4.4.0",
       "resolved": "https://registry.npmjs.org/cssdb/-/cssdb-4.4.0.tgz",
diff --git a/package.json b/package.json
index ab69932cd..fbda3c014 100644
--- a/package.json
+++ b/package.json
@@ -120,6 +120,7 @@
     "@babel/runtime": "^7.11.2",
     "@juggle/resize-observer": "^2.5.0",
     "core-js": "^3.6.5",
+    "css.escape": "^1.5.1",
     "js-cookie": "^2.2.1",
     "lodash.debounce": "^4.0.8",
     "lodash.defer": "^4.1.0",