Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix XSS vulnerability in title attribute #847

Closed
wants to merge 1 commit into from
Closed

Fix XSS vulnerability in title attribute #847

wants to merge 1 commit into from

Conversation

Addono
Copy link

@Addono Addono commented Nov 15, 2017

No description provided.

@LukeLeber
Copy link

Any chance of getting this merged in?

An outstanding security issue that's approaching 5 years old doesn't bode well for any upstream consumers of this project.

@Addono
Copy link
Author

Addono commented Jan 26, 2022

There are more details in #846, in short: from a backwards compatibility point of view this can be considered a feature 🤷‍♂️

@Addono
Copy link
Author

Addono commented Jan 26, 2022

The ticket does describe a workaround. So even though the defaults aren't safe, you can still get the library to behave in a safe manner by escaping the user controlled input yourself.

@seanr
Copy link

seanr commented Jan 26, 2022
edited

@Addono that doesn't help for other projects that use this, like the Drupal colorbox module. Anyone know what happened to the maintainers?

@seanr
Copy link

seanr commented Jan 26, 2022
edited

Also, it's not a feature request when said Drupal module is now considered unsupported because of this and THOUSANDS of sites are using that. I really consider that a cop-out, I'm afraid. :( It's a royal pain in the ass to fix something like this when you're dealing with a dependency chain like that. For the record, I'd be much happier if this stuff could be done without JS altogether, like some sort of extension of HTML5. I hate having to depend on JS for this crap, because it's always brittle.

@greggles
Copy link

@seanr I don't think this library is responsible for how the Drupal module uses it. The Drupal module can and should prevent malicious text from being used in these labels, that's all. Questions about maintainership of the Drupal module will likely be answered better/faster in the Drupal module queue and are a bit off-topic over here.

@seanr
Copy link

seanr commented Jan 26, 2022

My point is there's a known bug in the underlying library. It should be fixed here.

@greggles
Copy link

It's not a bug, though. From #846 it's explained that allowing HTML is intentional and whatever uses this should do the work of appropriate sanitizing. It's the responsibility of higher-level code that knows "was the text entered by an admin or an untrusted user?" to do appropriate filtering/sanitizing.

@LukeLeber
Copy link

I think the rationality in the issue discussion makes sense. Perhaps it would be best to close this PR?

@jackmoore
Copy link
Owner

@LukeLeber Agreed.

But thank you all for the input! Colorbox continues to exist mainly for legacy users, so a backward compatibility change (even if released as a new version) has the potential to cause more trouble than it's worth.

@jackmoore jackmoore closed this Jan 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Addono @LukeLeber @seanr @greggles @jackmoore