Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOM-based XSS due to un-escaped special characters #833

Open
hwendland opened this issue Aug 1, 2022 · 1 comment
Open

DOM-based XSS due to un-escaped special characters #833

hwendland opened this issue Aug 1, 2022 · 1 comment

Comments

@hwendland
Copy link

How can we reproduce this bug?

  1. Create a new tribute
  2. Set the display name (key) of one of the items to "<img/src/on src=x onerror=alert(document.domain)>".
  3. When you enter "@" into the input field managed by tribute, the drop-down list for selecting a name will be displayed and JavaScript will be executed via the HTML tag contained in the username.

What did you expect to happen?

  • HTML is sanitised / escaped before it is inserted into the DOM

What happened instead?

  • The HTML is inserted into the DOM as is

Link (jsfiddle/plunkr/codepen) or Screenshot:
https://codepen.io/hannah_dnp/pen/QWmQLmG
-> enter "@" into any of the inputs and observe the alert being shown
@LockingReal
Copy link

My personal opinion If the packaging tool is used, I think the xss attack defense should be in the compile or package phase (plug-in). For other scenarios, you can use some other npm libraries in the whole project(xss.js??), but I think it is not good to use special apis to process values during development..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hwendland @LockingReal