Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS injection possible with data-content #2870

Open
gabriel-cardoso opened this issue Apr 8, 2024 · 1 comment
Open

XSS injection possible with data-content #2870

gabriel-cardoso opened this issue Apr 8, 2024 · 1 comment
Labels

Comments

@gabriel-cardoso
Copy link

gabriel-cardoso commented Apr 8, 2024

It looks like it's possible to inject Javascript code with the data-content option.

When data-content="<img src=x onerror=console.log('hello')">, the onerror attribute is correctly removed from the generated HTML but it looks like the value is interpreted ("hello" is displayed in the JS console).

Is it the expected behaviour ?

<html>
<head>
    <title>XSS Injection</title>
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.8/css/bootstrap-select.css">
  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
  <script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
  <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.bundle.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.18/js/bootstrap-select.js"></script>
</head>
<body>
  <select class="selectpicker">
    <option data-content="<img src='x' onerror='console.log(9)'>">hello</option>
  </select>
</body>
</html>

Here is a JSFiddle illustrating the issue

@NicolasCARPi
Copy link
Collaborator

Hello,

Thank you for reporting this issue, although it would have been better to do it privately, so we can fix it ahead of publication. But don't worry:

  1. There are no SECURITY.md you could follow
  2. There are no stable release for the past 4 years
  3. There are no active contributors (see v2.0.0 Roadmap #2228 (comment))

So if someone wants to work on a PR, I can click the "Merge" button, but that's all I can do, as I don't have the hand into the release process, and main author seems to have abandonned this project, which I enjoin everyone reading these lines to do too.

Just to make it clear:

Nobody will fix this

Best,
~Nicolas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants