New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tabs: The "add tab" api treats the name as html #1462
Comments
Hey @tmcconechy , can we get some type of high priority on this, it's a security issue for us and we need to get it out as soon as possible. |
Ok, Whoever picks this up try to use |
Passed QA testing, the fix passed on functional test. Moving to Done. |
@tmcconechy, One of our devs found that you can still exploit this issue with a name like: Using stripTags doesn't seem like a very complete solution. Why not just set the text of the element directly so this can't be exploited? |
It doesnt have a test case for that. But handles basic cases. What do you mean by setting the text of the element directly? |
Instead of: const anchorMarkup = $( |
Ok, I thought thats what you meant 👍 Use the DOM. |
Or use https://github.com/infor-design/enterprise/blob/master/src/utils/xss.js#L8 which strips everything (would make the name empty tho). |
Why not use xss.escapeHTML? Nothing should be treated as HTML and it would all render as text, right? |
Yeah thats possible too. I guess question is what we expect to happen? Show nothing or escape that wierd string and show it anyways. |
I'd say show it always. In our usage if someone makes a favorite with an XSSy string I'd expect it to just treat it like they meant to do that. Also I feel like I remember a bug a few years ago where there was some metadata in our product somewhere that gets auto populated with |
Alright i'll change this one around - failed qa on it |
Describe the bug
HTML can be passed as the 'name' to the add tab api and it will get treated as actual html. The rename api seems to be immune to this in our testing.
To Reproduce
Expected behavior
Passing a name with html as a tab name shouldn't be allowed to be treated as html.
Version
4.11.x
Screenshots
The text was updated successfully, but these errors were encountered: