You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think an escaping of "alt" is needed here, and it's also beneficial to escape "src" and "url".
To Reproduce
Steps to reproduce the behavior:
create an <img> and set `image.alt = 'a">nihao'
activate Viewer.js on the image element
in the .viewer-list DOM node, there will be a text node of nihao">
Expected behavior
The "alt" attribute can be a real a">nihao.
Screenshots
Desktop:
OS: Windows 10 x64
Browser: chrome 73
Version: 73, stable x64
Additional context
I have a Chrome extension Vimium C and it provides a command "LinkHints.activateModeToOpenImage" to open a new tab to display an arbitrary image. So I've used Viewer.js for years to provide moving and zooming functionalities.
Therefore, in my use case, all of image source URLs and "alt" text are from common web pages - they should not be "trusted" to be reliable and safe to create HTML. I once used JavaScript to create HTMLImageElement and then set ".alt = ...", but today I find Viewer.js does not. I think this is a bug causing potential HTML hijacking.
The text was updated successfully, but these errors were encountered:
Describe the bug
Viewer.js create its image list using ".alt" directly, but the "alt" attribute may include '
"
' characters and then cause potential hijacking:viewerjs/src/js/render.js
Lines 71 to 90 in de9a4cf
I think an escaping of "
alt
" is needed here, and it's also beneficial to escape "src
" and "url
".To Reproduce
Steps to reproduce the behavior:
<img>
and set `image.alt = 'a">nihao'.viewer-list
DOM node, there will be a text node ofnihao">
Expected behavior
The "alt" attribute can be a real
a">nihao
.Screenshots
Desktop:
Additional context
I have a Chrome extension Vimium C and it provides a command "LinkHints.activateModeToOpenImage" to open a new tab to display an arbitrary image. So I've used Viewer.js for years to provide moving and zooming functionalities.
Therefore, in my use case, all of image source URLs and "alt" text are from common web pages - they should not be "trusted" to be reliable and safe to create HTML. I once used JavaScript to create HTMLImageElement and then set ".alt = ...", but today I find Viewer.js does not. I think this is a bug causing potential HTML hijacking.
The text was updated successfully, but these errors were encountered: