autoComplete.js icon indicating copy to clipboard operation
autoComplete.js copied to clipboard

Published 20 hours ago verified publisher icon TarekRaafat

HTML input is not escaped

Open BenjaminHofstetter opened this issue 1 year ago • 2 comments

  • [ ] System Information

    • [ ] Browser type and version: any
    • [ ] OS type and version: any

  • [ ] Describe the bug Potential Cross-Site Scripting (XSS) vulnerability

  • [ ] To Reproduce

  1. Go to https://tarekraafat.github.io/autoComplete.js/demo/
  2. paste <img/src='x'/onerror='alert(8)'> into the input field
  • [ ] Expected behavior HTML input is not escaped.

BenjaminHofstetter avatar Apr 25 '23 15:04 BenjaminHofstetter

https://tarekraafat.github.io/autoComplete.js/#/usage

xss

folknor avatar Apr 26 '23 19:04 folknor

Curious, what kind of flexibility is mentioned here?

When I type markup in a combo box, I do not see circumstances in which I'd want that added actual DOM to the page

tpluscode avatar May 01 '23 09:05 tpluscode