-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Script Injection possible #72
Comments
Hey Martin! Thanks for bringing this up. I was aware of this issue when I built support for custom HTML. I decided to offload the responsibility to sanitize the content to the developer. I don't want Notyf to be too smart, to be honest. I'd rather have it be a dumb component even if it comes at the cost of such liability. Your point is valid, though. I'll add a warning in the docs to make sure devs don't miss this (hopefully their frameworks will also help in this). Thanks! |
@caroso1222 I appreciate the work you put into developing and designing Notyf. That said, I hope you can reconsider @mgrubinger's proposal of essentially changing line 174 from As an open-source developer it's okay to de-scope features and responsibilities- but in this case it would make sense to apply the straightforward fix. Offloading the responsibility of sanitising to the developer is a poor methodology in general as the modern sanitisation approach is to leverage |
Hey @jagracey. Thanks for your input! I understand the concern. In my view, there are two things to consider here. First, Second, HTML sanitization is too complex for this plugin to handle. I wouldn't like to have my project running with several libraries, all of them having 200 LOC of HTML sanitation. Once again, I appreciate the intention. I understand an injection attack is serious and that's why I put the warning in the readme. However, Introducing a breaking change or writing several LOC to sanitize is not in the scope of the project. |
Hi! Thanks for this nice toast plugin!
Just wanted to let you know that i is possible to inject malicious code due to the usage of innerHTML. It's easy to test on the demo site as well by entering a message like:
They see me rolling <img src=x onerror='alert("hi");' />
or
They see me rolling <img src=x onerror='alert(document.cookie)' />
Please consider escaping
message
in some way or replaceinnerHTML
withtextContent
.Thanks!
The text was updated successfully, but these errors were encountered: