Xss vulnerability on firefox

[adrienpessu]

Describe the bug
On firefox only, there is an XSS vulnerability with the payload <marquee loop=1 width=0 onfinish=confirm(1)>XSS</marquee>

Reproductible example
Example which shows how to reproduce the issue, but it doesn't seem to work on stackblitz.

Please note that the issue is only on Firefox.

Expected behavior
The content of ngModel should be display as it is

[varnastadeus]

ng-select already sanitizes your data, but since your example is not correct it fails to do that. Your [items] must be present or you should use <ng-option> otherwise control is useless.

<ng-select  appendTo="body"
    [items]="[]"
    [ngModel]="tmp">
</ng-select>

[adrienpessu]

I have updated the example on stackblitz.

I have added <ng-option> and the XSS is still there.

  <ng-select  appendTo="body"
              [ngModel]="tmp">
    <ng-option value="none">
      nope
    </ng-option>
  </ng-select>

[KerNIM]

Is there any updates regarding this issue?
I have come across the same issue but up until there is not any solution towards this.

Furthermore, I have this issue on Chrome as well.

[Chocobozzz]

If using <ng-option> ng-select doesn't sanitize option values which is fine. But it doesn't sanitize the selectedItems either, which lead to XSS if the parent doesn't check the injected ngModel or patch ng-select input with untrusted value.
When using ng-option, ng-select should ensure the item of selectedItems is included in the list of available options. If not, it should escape it.

https://github.com/ng-select/ng-select/blob/master/src/ng-select/lib/ng-select.component.ts#L729 seems the line where we can escapeHTML.