mdAutocomplete: XSS vulnerability

[chr22]

You generate HTML from a string to highlight the matching part of the search string in the result.

https://github.com/angular/material/blob/master/src/components/autocomplete/js/highlightController.js#L11

If the search result is this as a string:

and you search for "x" then the resulting output is this, with a real script-tag that gets executed:

I cant create a CodePen because it won't let me insert a script tag in a javascript string.

I can see that you have some sort of sanitizing with a RegEx, that i cant decipher.

[ThomasBurleson]

@robertmesserle, @gkalpak - With the commit 33ac259, should this be closed now?

[robertmesserle]

@ThomasBurleson Leave this open, I pushed this fix without any unit tests, so I'd like to leave it open to make sure I don't forget to add that.

[gkalpak]

(BTW, I am not even sure the fix actually fixes the issue. @robertmesserle, did you test it "manually" ?)

[robertmesserle]

@gkalpak Added unit test, confirmed new fix. I had tested it earlier, but I was rushed and it turns out my test wasn't very good. =p This is why I left this open so I could have a non-rushed look at it.

[gkalpak]

👍 @robertmesserle

[gkalpak]

And 👍 @chr22 for reporting this 😃

[chr22]

👍

[ThomasBurleson]

@chr22 - can you contact via email: ThomasBurleson@Gmail.com. Thx