XSS vulnerability by default #964
Labels
Milestone
Comments
|
I'd accept a pull request for escaping the string injected into the default templates. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ran into an issue with XSS using the default template. I tried escaping the HTML before giving it to typeahead.js, but that didn't work as expected because the hint actually seems to escape HTML correctly. Because of that, if I passed pre-escaped HTML I would get double-escaping in the hint which isn't correct.
I am using a custom ttadapter instead of Bloodhound, if that makes a difference. Perhaps there's a way to achieve the correct escaping behavior that I missed?
I also think that since remote suggestions are by their nature likely to be XSS vectors, I strongly believe the safe thing to do is have typahead.js have a secure default template.
At a minimum, the hint and dropdown should have the same escaping behavior, so that escaping the content works correctly.
The quick fix was to replace
return "<p>" + displayFn(context) + "</p>";with
return "<p>" + window._.escape(displayFn(context)) + "</p>";(This works because we use underscore in our app.)
I can work on a pull, but I want to make sure it would get accepted since #18 seemed like a wontfix.
The text was updated successfully, but these errors were encountered: