You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ran into an issue with XSS using the default template. I tried escaping the HTML before giving it to typeahead.js, but that didn't work as expected because the hint actually seems to escape HTML correctly. Because of that, if I passed pre-escaped HTML I would get double-escaping in the hint which isn't correct.
I am using a custom ttadapter instead of Bloodhound, if that makes a difference. Perhaps there's a way to achieve the correct escaping behavior that I missed?
I also think that since remote suggestions are by their nature likely to be XSS vectors, I strongly believe the safe thing to do is have typahead.js have a secure default template.
At a minimum, the hint and dropdown should have the same escaping behavior, so that escaping the content works correctly.
Ran into an issue with XSS using the default template. I tried escaping the HTML before giving it to typeahead.js, but that didn't work as expected because the hint actually seems to escape HTML correctly. Because of that, if I passed pre-escaped HTML I would get double-escaping in the hint which isn't correct.
I am using a custom ttadapter instead of Bloodhound, if that makes a difference. Perhaps there's a way to achieve the correct escaping behavior that I missed?
I also think that since remote suggestions are by their nature likely to be XSS vectors, I strongly believe the safe thing to do is have typahead.js have a secure default template.
At a minimum, the hint and dropdown should have the same escaping behavior, so that escaping the content works correctly.
The quick fix was to replace
return "<p>" + displayFn(context) + "</p>";
with
return "<p>" + window._.escape(displayFn(context)) + "</p>";
(This works because we use underscore in our app.)
I can work on a pull, but I want to make sure it would get accepted since #18 seemed like a wontfix.
The text was updated successfully, but these errors were encountered: