You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Open this link https://codesandbox.io/s/xov4wqkxyq, move your mouse to the text "Move your mouse to hover me!" on the right side preview panel, you could see a alert. See this
Summary
A vulnerability in react-tooltip could allow an remote attacker to conduct a cross-site scripting (XSS) attack on a web browser.
The vulnerability is due to insufficient (not any) sanitization of user-supplied input processed by the html mode. An attacker could exploit this vulnerability by submitting a malicious script in the tooltip. A successful exploit could allow the attacker to execute arbitrary code on web browser.
Analysis
Applications that include react-tooltip library but do not use the html mode are not affected by this vulnerability.
To exploit this vulnerability, the attacker must input malicious values to the affected application.
Suggestion
Fix it in the next version, this can cover "^3.0.0" to "^3.6.1". For the one who stick to some fix version, or are using the version less than 3.0.0, should notice the user to upgrade to the newest version, or sanitize outside.
The text was updated successfully, but these errors were encountered:
As I understand your report, this is not a vulnerability.
HTML rendering is opt-in, and your example doesn't trigger with HTML rendering disabled.
You could argue that new coders may too easily accidentally shoot themselves in the foot by opting in to HTML rendering- and that it should be more difficult to enable HTML rendering, like with React: <div dangerouslySetInnerHTML={__html: 'your html here}'/>
Reproduce
Open this link https://codesandbox.io/s/xov4wqkxyq, move your mouse to the text "Move your mouse to hover me!" on the right side preview panel, you could see a alert. See this
Summary
A vulnerability in react-tooltip could allow an remote attacker to conduct a cross-site scripting (XSS) attack on a web browser.
The vulnerability is due to insufficient (not any) sanitization of user-supplied input processed by the html mode. An attacker could exploit this vulnerability by submitting a malicious script in the tooltip. A successful exploit could allow the attacker to execute arbitrary code on web browser.
Analysis
Applications that include react-tooltip library but do not use the html mode are not affected by this vulnerability.
To exploit this vulnerability, the attacker must input malicious values to the affected application.
Suggestion
Fix it in the next version, this can cover "^3.0.0" to "^3.6.1". For the one who stick to some fix version, or are using the version less than 3.0.0, should notice the user to upgrade to the newest version, or sanitize outside.
The text was updated successfully, but these errors were encountered: