materialize-autocomplete icon indicating copy to clipboard operation
materialize-autocomplete copied to clipboard
verified publisher icon icefox0801

JS injection

Open asterite opened this issue 9 years ago • 3 comments

The autocomplete data isn't escaped for being presented in HTML. For example try using '<script>alert("hello")</script>' as the text of an item, and you'll see an alert pop up when showing that item in the autocomplete.

This is kind of a big security hole in the component...

asterite avatar Feb 24 '17 15:02 asterite

Oh, actually, one has to escape it in the itemTemplate... sorry about the issue!

asterite avatar Feb 24 '17 15:02 asterite

Reopening. I thought underscore or lodash was being used for templates, but it seems the logic is reimplemented here. The problem is, the < and > characters are not being escaped. So yes, this is a security issue...

asterite avatar Feb 24 '17 15:02 asterite

As a workaround, in templates you can do:

<%= $("<div/>").text(item.text).html() %>

This uses a trick to escape HTML using jquery (which should be available because materialize needs it)

asterite avatar Feb 24 '17 15:02 asterite