-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS vulnerability in https://select2.github.io/examples.html #4587
Comments
I should note that when this was reported, I did get in contact with GitHub about that repository. The repository has since been disabled: https://github.com/accountupdates/paypal The problem here which we still need to fix is that the example formatter does not properly use jQuery to sanitize the data, and it's something we're planning on fixing in the next release. |
@ Kevin Viewing the release log at https://github.com/select2/select2 it appears you have not yet attended to this. The 4.1 milestone shows only 14% complete and this matter still open. As it appears the 4.1 milestone is at least a year away, is it perhaps warranted to have a commit with this vulnerability plus whatever else you have closed? |
@TheThemeBuilders I'm in the process of looking for new maintainers for Select2, and that's been a slow process. If you're interested in joining the (currently small) team of maintainers, get in contact with me and we can chat. Basically, until that happens I can't guarantee when the next release will be. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi all - running 4.0.3 here, and still seeing this issue. Can anyone tell me if there's a fix available in future releases? And thanks again for a great library! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
If this project is seeking active maintainers, can you disable this bot?
This unresolved issue is referenced in a CVE for 2016....
https://nvd.nist.gov/vuln/detail/CVE-2016-10744
…On Fri, May 17, 2019, 8:26 PM stale[bot] ***@***.***> wrote:
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Thank you
for your contributions.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#4587?email_source=notifications&email_token=AAAEBYXV3FTS2FSUR4XDQCLPV5EK5A5CNFSM4CPXP3XKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVWD4FA#issuecomment-493633044>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAEBYT5RZVAUHVAPUHGN43PV5EK5ANCNFSM4CPXP3XA>
.
|
Closing this off as a duplicate of #5448. I thought I did that earlier... |
I'm using select2 version 3.5.4 in my project and a security report mentioned this very issue as possible risk for an XSS attack. Simply put: is there a risk in the library as such that needs a correction in file |
No. There was an XSS vulnerability that existed because of a misconfiguation within the Select2 documentation website. Thanks to the fact that people blindly copy/paste from the source code on the documentation website (as well as the examples, some of which had an issue as well), this was referenced in a CVE where someone has misconfigured Select2 to enable XSS within their application. I am willing to say this though: if you are turning |
If you're using custom formatters with rich menus, there isn't really another way to handle this though. It loads up originally escaped properly using the escaping code we added, and then if you select something else and re-select, it was overriding our mitigation. So I'd still say this is a bug or at least a misfeature. We've resolved this on our end, but it's still broken in the library according to my definition. |
I fully disagree. Since 4.0.0, we have supported returning actual DOM or jQuery elements which contain the escaped markup, and that's what we switched the documentation to recommend. I acknowledge that having the documentation recommend an insecure way was a poor choice and one which was easily corrected, but that doesn't mean that there was no way to do it securely.
I would highly recommend switching to returning DOM elements from your templates, which will allow you to safely inject text (and only text) into the DOM elements, instead of returning HTML as text directly from your templates. If you're looking for an example, you can reference the new docs: https://select2.org/selections#templating |
For anyone coming to this maintaining old/legacy code, the documentation in https://select2.github.io/select2/ might be a bit off in that it has the declaration of Using that function seems like a more comprehensive approach than the commit linked to above. For example:
|
Strings coming from system metadata such as "icon" and "color" are generally assumed to be safe, but out of an abundance of caution this duly escapes them. Also see select2/select2#4587
Under "Loading remote data", the data that is retrieved remotely is not sanitized before displaying it, and this should be done to prevent XSS issues. For example, when I enter je1 in the input field, one of the retrieved GitHub repo's data contains malicious JS code that is executed and that simulates a fake PayPal page which asks for your credit card info (seems like phishing).
The text was updated successfully, but these errors were encountered: