You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like it's possible to inject Javascript code with the data-content option.
When data-content="<img src=x onerror=console.log('hello')">, the onerror attribute is correctly removed from the generated HTML but it looks like the value is interpreted ("hello" is displayed in the JS console).
So if someone wants to work on a PR, I can click the "Merge" button, but that's all I can do, as I don't have the hand into the release process, and main author seems to have abandonned this project, which I enjoin everyone reading these lines to do too.
It looks like it's possible to inject Javascript code with the
data-content
option.When
data-content="<img src=x onerror=console.log('hello')">
, theonerror
attribute is correctly removed from the generated HTML but it looks like the value is interpreted ("hello" is displayed in the JS console).Is it the expected behaviour ?
Here is a JSFiddle illustrating the issue
The text was updated successfully, but these errors were encountered: