Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escaped tags parsed as non-escaped in title and data-content #2199

Closed
latuszek opened this issue Feb 14, 2019 · 7 comments
Closed

Escaped tags parsed as non-escaped in title and data-content #2199

latuszek opened this issue Feb 14, 2019 · 7 comments

Comments

@latuszek
Copy link

The bootstrap-select does not respect escaped content correctly. Instead the escaped content is rendered as it would not be escaped.
Sample can be seen here: https://jsfiddle.net/b1dhf8ec/2/
@latuszek latuszek mentioned this issue Feb 14, 2019
Closed
@caseyjhol
Copy link
Member

You're right - the title is not being escaped properly. However, there's nothing that can be done about the escaped content (as its purpose is to display HTML). Since &lt; is displayed as < in the native HTML, there is no way for bootstrap-select to determine that it's supposed to be decoded. A workaround, if you want to display <i>italicized text</i> instead of italicized text as the option's content is to swap out the & with &amp; in the escaped HTML entity. Example:

&amp;lt;i&amp;gt;italicized text&amp;lt;/i&amp;gt;

instead of

&lt;i&gt;italicized text&lt;/i&gt

caseyjhol added a commit that referenced this issue Feb 27, 2019
@caseyjhol
use generateOption.text to create button content in render (ensures c…
9c0dc0d 
…onsistincy across option and button)

prevent HTML inside subtext
escape option title (#2199)
remove now unused htmlUnescape function
@latuszek
Copy link
Author

latuszek commented Feb 27, 2019
edited
Loading

I understand You want to have an option to define data-content="&lt;i&gt;italicized text&lt;/i&gt" instead of data-content="<i>italicized text</i>" and I think it is reasonable.
However, it should be mentioned in the documentation as some of the content may come from user input (this is my case - I'm displaying there info about registered company).
All proper front-end frameworks escapes displayed content and change vulnerable characters to the escaped form but in this case it will not help and currently most developers will be unaware of this.

@caseyjhol
Copy link
Member

Can you elaborate a bit? What specifically do you want mentioned in the documentation? I added a note about the potential for an XSS attack when using the data-content feature in commit d2333c8. Unfortunately, &lt; being converted to a literal < when inside an HTML attribute is a limit bootstrap-select has no control over.

@latuszek
Copy link
Author

Something like you've written but I would also mention that it converts HTML-escaped characters to their real value like &lt;i&gt; will become <i>. But you have some exceptions from this (like the <script> tag) which, I think, is also worth mention.

BTW thanks for really good component.

@lirantal
Copy link

+1, and many thanks @caseyjhol for your dedication to handle security issues! 👏

caseyjhol added a commit that referenced this issue Mar 7, 2019
@caseyjhol
add sanitize option for data-content (#2199)
ab6e068
@caseyjhol
Copy link
Member

Released in v1.13.6!

@zregvart zregvart mentioned this issue Mar 11, 2019
Closed
zregvart added a commit to zregvart/syndesis that referenced this issue Mar 11, 2019
@zregvart
fix: force bootstrap-select version to 1.13.6
398d530 
Ref:
 - patternfly/patternfly#1167
 - snapappointments/bootstrap-select#2199
@zregvart zregvart mentioned this issue Mar 11, 2019
Merged
@ybc37 ybc37 mentioned this issue Mar 11, 2019
Open
phantomjinx pushed a commit to phantomjinx/syndesis that referenced this issue Mar 12, 2019
@zregvart @phantomjinx
fix: force bootstrap-select version to 1.13.6
b7ef627 
Ref:
 - patternfly/patternfly#1167
 - snapappointments/bootstrap-select#2199
@hossein hossein mentioned this issue Mar 28, 2019
Open
zregvart added a commit to zregvart/syndesis that referenced this issue Mar 31, 2019
@zregvart
fix: force bootstrap-select version to 1.13.6
4ac24f9 
Ref:
 - patternfly/patternfly#1167
 - snapappointments/bootstrap-select#2199
@mcoops
Copy link

mcoops commented Oct 1, 2020

Retrospectively, CVE-2019-20921 has been assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lirantal @caseyjhol @latuszek @mcoops