-
-
Notifications
You must be signed in to change notification settings - Fork 900
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Xss vulnerability on firefox #1363
Comments
ng-select already sanitizes your data, but since your example is not correct it fails to do that. Your
|
I have updated the example on stackblitz. I have added
|
Is there any updates regarding this issue? Furthermore, I have this issue on Chrome as well. |
If using https://github.com/ng-select/ng-select/blob/master/src/ng-select/lib/ng-select.component.ts#L729 seems the line where we can |
When using ng-option See ng-select/ng-select#1363
Describe the bug
On firefox only, there is an XSS vulnerability with the payload
<marquee loop=1 width=0 onfinish=confirm(1)>XSS</marquee>
Reproductible example
Example which shows how to reproduce the issue, but it doesn't seem to work on stackblitz.
Please note that the issue is only on Firefox.
Expected behavior
The content of ngModel should be display as it is
The text was updated successfully, but these errors were encountered: