react-tooltip Cross-Site Scripting Vulnerability

[SunHuawei]

Reproduce

Open this link https://codesandbox.io/s/xov4wqkxyq, move your mouse to the text "Move your mouse to hover me!" on the right side preview panel, you could see a alert. See this

Summary

A vulnerability in react-tooltip could allow an remote attacker to conduct a cross-site scripting (XSS) attack on a web browser.

The vulnerability is due to insufficient (not any) sanitization of user-supplied input processed by the html mode. An attacker could exploit this vulnerability by submitting a malicious script in the tooltip. A successful exploit could allow the attacker to execute arbitrary code on web browser.

Analysis

Applications that include react-tooltip library but do not use the html mode are not affected by this vulnerability.

To exploit this vulnerability, the attacker must input malicious values to the affected application.

Suggestion

Fix it in the next version, this can cover "^3.0.0" to "^3.6.1". For the one who stick to some fix version, or are using the version less than 3.0.0, should notice the user to upgrade to the newest version, or sanitize outside.

[jagracey]

As I understand your report, this is not a vulnerability.

HTML rendering is opt-in, and your example doesn't trigger with HTML rendering disabled.

You could argue that new coders may too easily accidentally shoot themselves in the foot by opting in to HTML rendering- and that it should be more difficult to enable HTML rendering, like with React: <div dangerouslySetInnerHTML={__html: 'your html here}'/>

But I disagree. html={true} is very reasonable.

[SunHuawei]

Seems we already fixed it, 182df11, so just close this.