bootstrap-notify icon indicating copy to clipboard operation
bootstrap-notify copied to clipboard

Published 20 hours ago verified publisher icon mouse0270

Growl should escape message strings by default

Open johnnyshields opened this issue 10 years ago • 4 comments

Seems like currently this plugin does not escape the message string (though the public demo does), which could lead to injection vulnerabilities. I think it should be escaped by default, with an option to disable the escaping if the user knows what they are doing.

johnnyshields avatar Nov 15 '14 19:11 johnnyshields

I don't think the public demo escapes the message string. jQuery just grabs the html from a content-editable div. Just to make sure we are talking about the same thing, you are refering to something like this: http://www.w3schools.com/jsref/jsref_escape.asp

mouse0270 avatar Dec 16 '14 16:12 mouse0270

Yes, correct something like the example you gave.

I think the escaping in the demo is done by jQuery then, but BootstrapGrowl doesn't do escaping by itself.

My concern is that if a server echoes some user input into the growl message (for example "Your input '____' is invalid") it could be used for XSS attack. By default it would be best to err on the side of safety, i.e. escape all inputs.

johnnyshields avatar Dec 16 '14 18:12 johnnyshields

+1

strokyl avatar Dec 07 '15 13:12 strokyl

This is being added to version 4.0beta and later.

mouse0270 avatar Dec 07 '15 13:12 mouse0270