jsonTreeViewer icon indicating copy to clipboard operation
jsonTreeViewer copied to clipboard
verified publisher icon summerstyle

Doesn't escape HTML entities

Open spankykopita opened this issue 7 years ago • 3 comments

jsonTree.js will print out HTML content to the page as is rather than escaping the HTML entities. This results in the HTML being inserted into the DOM and presented, and allows some types of custom Javascript execution. This constitutes an XSS vulnerability for any pages that render user-provided JSON using this library.

For example, on your demo page at http://summerstyle.github.io/jsonTreeViewer/ - provide the input {"test":"<img src='x' onerror='alert(1)'>"} and observe the alert.

spankykopita avatar Oct 02 '18 18:10 spankykopita

Is this abandoned? This is quite a serious problem that needs fixing

Heath123 avatar May 15 '20 09:05 Heath123

just .replaceAll() the < and > for their respective html entities in your code before parsing

KraXen72 avatar Jan 02 '21 19:01 KraXen72

just .replaceAll() the < and > for their respective html entities in your code before parsing

Well it's better to use a proper HTML escaper like https://www.npmjs.com/package/escape-html

Heath123 avatar Jan 02 '21 20:01 Heath123