New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xss bug found #580
Comments
|
src/component/element.js import DOMPurify from 'dompurify';
...
html(content) {
if (content !== undefined) {
// xss 过滤
this.el.innerHTML = DOMPurify.sanitize(content);
return this;
}
return this.el.innerHTML;
}
... |
barnardb
added a commit
to softwaretechnik-berlin/flexivis
that referenced
this issue
Apr 16, 2023
Dependabot reports that > All versions of package x-data-spreadsheet are vulnerable to > Cross-site Scripting (XSS) due to missing sanitization of values > inserted into the cells. (up to current version 1.1.9.) Note that this issue reports an XSS issue: myliang/x-spreadsheet#580 With this fixing PR which has not been merged: myliang/x-spreadsheet#581 Also, some issues may have been fixed, but not released, as this issue complains that there hasn't been a release in years despite unreleased fixes: myliang/x-spreadsheet#632 The package also depends on the discontinued opencollective package, which brings additional problematic dependencies.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
xss found
PoC: https://ibb.co/XbdMNVV
Payload:
"><img src=1 onerror=alert(document.domain)>The text was updated successfully, but these errors were encountered: