-
-
Notifications
You must be signed in to change notification settings - Fork 653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
optionToHtml does not escape HTML characters in option label #264
Comments
Any pull request is welcome. |
Fixed in #255. |
I didn't see textTemplate documented as part of the interface, so I didn't know what its purpose was. I can see its value and I can see that my fix negated this value. However, I still think this is a bug. Shouldn't multiple-select be secure by default--that is, shouldn't the default textTemplate return For example, suppose my Web application allowed an administrator to bulk delete anonymous form posts by their title. The HTML is generated on the server using a server-side template that properly escapes all of the form posts which it inserts into the HTML. This app would appear to work fine, but then what happens when an anonymous post include a To illustrate this, consider this snippet: <select id="ms" multiple="multiple">
<option selected="selected" value="1">Simple</option>
<option value="2">Italics <i> Tag</option>
<option value="3">Bold <b> Tag</option>
<option value="4">Script <script>alert('do something evil')</script></option>
</select> On my browser (FF) the plain HTML shows everything correctly (as HTML tags). When I enlighten the |
I think you are right, I have updated the default to |
Cool. Thanks for giving me a second chance. |
My web page includes a
<select>
whose<option>
labels may include escaped HTML characters. These are not escaped in the control which multiple-select creates. In most cases this is unnoticeable. In some cases, it causes some rendering problems. However, because the choices in my Web page may be populated by one user and viewed by another user, in the worst case it's a security risk, as it may give one user the ability to inject a<script>
into another user's Web page.For example, if I turn this into a multiple-select:
The second option should look like "
Italics <i> Tag
", not "Italics Tag"The bug is in optionToHtml. The "text" variable is read as text (and so the HTML is unescaped), but then processed by JQuery as HTML. Here is a patch of how I fixed this in my repository. The diff is done using subversion (not git) and is based on multiple-select-1.2.0 (not master), so you won't be able to apply the patch automatically, but it's simple enough to apply by hand.
The text was updated successfully, but these errors were encountered: