angular-pretty-checkable icon indicating copy to clipboard operation
angular-pretty-checkable copied to clipboard

Published 20 hours ago verified publisher icon itslenny

bugfix: the `label` has xss bug

Open lyon-liao opened this issue 8 years ago • 0 comments

the soruce code as :

 if(attrs.label!=='false'){        
            //set label text to label if available otherwise default to value
            var labelText = scope.$eval(attrs.label ? attrs.label : attrs.value);
            var label = angular.element('<label>'+labelText+'</label>');

            //add label before or after depending on label-left value 
            if(attrs.labelLeft){
              element.prepend(label);
            }else{
              element.append(label);
            }
        }

when label is <script>alert(1)</script>, the alert will oppen.

lyon-liao avatar Oct 17 '16 08:10 lyon-liao