XSS when using dataFormat function #2071

michaelrodov · 2019-04-18T11:30:31Z

Hi
When using dataFormat function and not converting the value to react component
output is not sanitised. Therefore you can easily run XSS through it.

const Demo = props => {
  let data = [
    {key: "1", value: "test"},
    {key: "2", value: '/1337"><noscript><p title="</noscript><img src=x onerror=alert`openbugbounty`>">'}
  ]
  return (
      <BootstrapTable data={data}>
        <TableHeaderColumn dataField="key" isKey />
        <TableHeaderColumn dataField="value" dataFormat={v => v} />
      </BootstrapTable>
  );
};

Example: https://codesandbox.io/s/q7oj2v6xo9?fontsize=14

The text was updated successfully, but these errors were encountered:

oeph · 2021-05-10T13:16:20Z

It is caused by

react-bootstrap-table/src/TableBody.js

Lines 114 to 118 in 26d07de

    
           if (!React.isValidElement(formattedValue)) { 
        
             columnChild = ( 
        
               <div dangerouslySetInnerHTML={ { __html: formattedValue } }></div> 
        
             ); 
        
           } else {

If you return a invalid react element, it will use dangerouslySetInnerHTML. Your fix could be to use the following dataFormat:
dataFormat={v => (<span>{v}</span>)}

eborden · 2021-12-22T21:21:19Z

There is now a CVE pointing at this issue. Are there plans to fix this XSS exploit?

GHSA-2589-w6xf-983r

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS when using dataFormat function #2071

XSS when using dataFormat function #2071

michaelrodov commented Apr 18, 2019 •

edited

Loading

oeph commented May 10, 2021

eborden commented Dec 22, 2021

XSS when using dataFormat function #2071

XSS when using dataFormat function #2071

Comments

michaelrodov commented Apr 18, 2019 • edited Loading

oeph commented May 10, 2021

eborden commented Dec 22, 2021

michaelrodov commented Apr 18, 2019 •

edited

Loading