New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS issue with emptyTemplate when no results found #355

Closed
grieblius opened this Issue Jun 28, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@grieblius

grieblius commented Jun 28, 2017

Hello,

there is an XSS issue when using {{query}} in emptyTemplate variable when no results is found.
For example we have such emptyTemplate:
emptyTemplate: 'No result for "{{query}}"',

If we enter html code in query input , e.g.: <img src="" onerror="alert('bad code')">
the JS code is executed.

In this case {{query}} must be treated as plain text, not html code.

Thanks,
Giedrius

running-coder added a commit that referenced this issue Jun 28, 2017

running-coder added a commit that referenced this issue Jun 28, 2017

@running-coder

This comment has been minimized.

Owner

running-coder commented Jun 28, 2017

Hey @grieblius thanks for raising the issue, this commit should fix the emptyTemplate option

@running-coder running-coder added the Bug label Jun 28, 2017

@running-coder running-coder added this to the 2.9.0 milestone Jun 28, 2017

running-coder added a commit that referenced this issue Aug 18, 2017

Version 2.9.0
Feature
- #306 Allow Typeahead to be initialized on <textarea> and <div> with content editable

Fixes
- #363 `templateValue` option when navigating
- #360 Safari pressing Tab brings back to the first tabbable item
- #355 XSS issue with emptyTemplate when no results found
- #351 htmlEntities inside correlativeTemplate
- #311 When `href` option is set, pressing Enter should follow the link

Improvement
- #326 Improve Up / Down / Tab navigation to have only 1 "selected" item
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment