Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(dropdown): possible XSS through select option text #2705

Merged
merged 2 commits into from
Feb 19, 2023
Merged

fix(dropdown): possible XSS through select option text #2705

merged 2 commits into from
Feb 19, 2023

Conversation

lubber-de
Copy link
Member

@lubber-de lubber-de commented Feb 19, 2023
edited
Loading

Description

This PR fixes a possible XSS through an entity encoded select option text when converted into a FUI dropdown.
Even if preserveHTML: false would prevent this, a select tag cannot contain html at all and if it contains entity encoded HTML instead, it should not be reconverted into html.

The PR also fixes recreating the dropdown menu twice when no values are selected in a multiple dropdown

Thanks to @brian-codes for reporting

Testcase

  • Select the obvious evil dropdown entry

Broken

The alert message appears upon selection
https://jsfiddle.net/lubber/f5to49ew/3/

Fixed

All fine
https://jsfiddle.net/lubber/f5to49ew/5/

Closes

#2692 (reply in thread)
#2817

@lubber-de lubber-de added type/bug Any issue which is a bug or PR which fixes a bug lang/javascript Anything involving JavaScript state/awaiting-reviews Pull requests which are waiting for reviews type/security Anything related to security labels Feb 19, 2023
@lubber-de lubber-de added this to the 2.9.3 milestone Feb 19, 2023
@lubber-de
Copy link
Member Author

@all-contributors please add @brian-codes for security

@allcontributors allcontributors bot mentioned this pull request Feb 19, 2023
Merged
@allcontributors
Copy link
Contributor

@lubber-de

I've put up a pull request to add @brian-codes! 🎉

@lubber-de lubber-de merged commit be4492b into fomantic:develop Feb 19, 2023
@lubber-de lubber-de deleted the selectXSS branch February 19, 2023 19:16
@lubber-de lubber-de removed the state/awaiting-reviews Pull requests which are waiting for reviews label Feb 19, 2023
@lubber-de lubber-de mentioned this pull request Apr 11, 2023
Closed
@lubber-de lubber-de mentioned this pull request Jun 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ko2in ko2in Awaiting requested review from ko2in

@ColinFrick ColinFrick Awaiting requested review from ColinFrick

@prudho prudho Awaiting requested review from prudho

@y0hami y0hami Awaiting requested review from y0hami

Assignees
No one assigned
Labels
lang/javascript Anything involving JavaScript type/bug Any issue which is a bug or PR which fixes a bug type/security Anything related to security
Projects
None yet
Milestone
2.9.3
Development

Successfully merging this pull request may close these issues.
1 participant
@lubber-de