Description
Prerequisites
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
💥 Demo Page
React issue template:
tagify-react-wrapper-forked
Explanation
We have found a bug in tagify's template wrapper that leads to XSS vulnerability, making applications that use tagify.js or react.tagify vulnerable as well.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Refs:
https://owasp.org/www-community/attacks/xss/
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Affected file:
https://github.com/yairEO/tagify/blob/master/src/parts/templates.js#L13
data-placeholder="${_s.placeholder || '​'}"
aria-placeholder="${_s.placeholder || ''}"Example on codesandbox.io
Steps to reproduce:
- Open the following forked Tagify's React Wrapper demo
- Notice line #17 where a
customUserInputvariable is declared. This variable mocks data that came from an API or an input. - On the line #23 we use the
customUserInputvariable to customize tags. - Once the demo app is rendered, open the "Tags" tab and hover on the first input. It will fire the XSS.
The following screenshot shows the XSS run on codesandbox.io

The following screenshot shows the same XSS run in the dev build of the app.

As you see, the tagify builds a new span with an attribute that was not supposed to be there.