You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The error message should not parse HTML (or sanitize it firs) so that XSS is not possible
Actual behavior
Error message parses HTML and allows XSS and therefore the alert pops with the document's domain
The text was updated successfully, but these errors were encountered:
CristinaSolana
changed the title
Input tag error messages susceptible to XSS
Input tag via Field component error messages susceptible to XSS
Apr 28, 2020
Tbh, what I think would be great is if the message and the error were separate so you could have a custom message and custom error on the field, both without the use of v-html. :)
For the sake of not having an XSS by default on fields, I think a slot is a good compromise if it will eliminate the v-html.
Overview of the problem
Buefy version: 0.8.17
Vuejs version: 2.X.X
OS/Browser:
Input tag via field component error messages susceptible to XSS. The issue is the v-html used here: https://github.com/buefy/buefy/blob/dev/src/components/field/Field.vue#L35
Steps to reproduce
Expected behavior
The error message should not parse HTML (or sanitize it firs) so that XSS is not possible
Actual behavior
Error message parses HTML and allows XSS and therefore the alert pops with the document's domain
The text was updated successfully, but these errors were encountered: