Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibility for XSS injection (duplicate of #373) #433

Closed
quasarchimaere opened this issue Jul 4, 2022 · 4 comments
Closed

Possibility for XSS injection (duplicate of #373) #433

quasarchimaere opened this issue Jul 4, 2022 · 4 comments
Labels
bug Something isn't working
Milestone
v5

Comments

@quasarchimaere
Copy link

since repro steps have been posted, and the issue is still present wouldnt we want to re-open it?
@rob-balfre
Copy link
Owner

Ok, I've found a way for a user to inject XSS...

https://svelte.dev/repl/d6511a1329ba4f7996c83cbc0b73951e?version=3.49.0

@rob-balfre rob-balfre added the bug Something isn't working label Jul 12, 2022
@rob-balfre rob-balfre added this to the v5 milestone Jul 12, 2022
rob-balfre added a commit that referenced this issue Jul 14, 2022
@rob-balfre
#433 added sanitiseLabel method
f9a882c
@rob-balfre
Copy link
Owner

Fixed in v16

@quasarchimaere
Copy link
Author

@rob-balfre not to be a stickler here, but can you please explain to me why the fix is adding an extra function that strips any (possibly) bad content from the option, rather than just removing the @html parameter that circumvents the built in svelte escaping?

@rob-balfre
Copy link
Owner

Because I use it ☺️

Repository owner deleted a comment from ZerdoX-x Jul 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v5
Development

No branches or pull requests
2 participants
@rob-balfre @quasarchimaere