autoComplete.js
autoComplete.js copied to clipboard
HTML input is not escaped
-
[ ] System Information
- [ ] Browser type and version: any
- [ ] OS type and version: any
-
[ ] Describe the bug Potential Cross-Site Scripting (XSS) vulnerability
-
[ ] To Reproduce
- Go to https://tarekraafat.github.io/autoComplete.js/demo/
- paste <img/src='x'/onerror='alert(8)'> into the input field
- [ ] Expected behavior HTML input is not escaped.
https://tarekraafat.github.io/autoComplete.js/#/usage
Curious, what kind of flexibility is mentioned here?
When I type markup in a combo box, I do not see circumstances in which I'd want that added actual DOM to the page