fix: errorMsg may cause XSS attack #1747
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi, guy, I found a bug which will cause XSS attack, in
errorMSg
, you useinnerHTML
to replace%url
, but origin image src url maybe an unsafe url, like thishttps://example.com/"/>"<script>alert("1")</script>"<a
. So, must escape origin image url, replace<
>
'
or"
.This bug not only in default error message, but also in custom error.
![image](https://user-images.githubusercontent.com/41265413/116071176-2931e700-a6c0-11eb-88b2-6370e9359c6d.png)