Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS Vulnerability in VirtualSelect’s options Configuration #365

Closed
izambasiron opened this issue Nov 7, 2024 · 0 comments · Fixed by #381
Closed

XSS Vulnerability in VirtualSelect’s options Configuration #365

izambasiron opened this issue Nov 7, 2024 · 0 comments · Fixed by #381
Labels
bug Something isn't working

Comments

@izambasiron
Copy link

izambasiron commented Nov 7, 2024
edited
Loading

Description:
When using the VirtualSelect library with user-controlled options values, certain JavaScript event handlers embedded within the label or value fields are executed, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue occurs even with the enableSecureText option enabled, suggesting that it does not fully sanitize or escape inputs with JavaScript embedded.

Codepen demo

Steps to Reproduce:

  1. Initialize VirtualSelect with an option containing a JavaScript onclick event in the label and value fields.

    document.addEventListener('DOMContentLoaded', function () {
  VirtualSelect.init({
    ele: '#sample-select',
    showValueAsTags: true,
    enableSecureText: true,
    options: [
      { label: '" onclick="alert(\'label\')"', value: '" onclick="alert(\'value\')"' }
    ],
  });
});

  2. Load the page containing this code.

  3. Observe that clicking on the injected option label triggers an alert dialog due to the embedded onclick event.

Expected Behavior:
The enableSecureText option should escape or sanitize any potentially harmful JavaScript, ensuring that user-provided content in label and value fields cannot trigger XSS.

Actual Behavior:
JavaScript code embedded within value fields is executed, leading to a potential XSS vulnerability.

Environment:

  • VirtualSelect version: 1.0.46
  • Browser: Chrome, Safari, Firefox
  • Operating System: Windows, MacOS, Android, iOS
izambasiron added a commit to izambasiron/virtual-select that referenced this issue Nov 7, 2024
@izambasiron
Fix XSS vulnerability in VirtualSelect
da56056 
Fixes sa-si-dev#365

Update the `secureText` method in `src/virtual-select.js` to enhance XSS protection.

* Modify the return statement to use `Utils.replaceDoubleQuotesWithHTML(this.$secureDiv.innerHTML)` instead of `this.$secureDiv.innerHTML`.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/sa-si-dev/virtual-select/issues/365?shareId=XXXX-XXXX-XXXX-XXXX).
@izambasiron izambasiron mentioned this issue Nov 7, 2024
Closed
gnbm added a commit that referenced this issue Jan 4, 2025
@gnbm
Update dev dependencies and fix issue 365
4454711 
- Fixed typo on `enableSecureText` description withing the documentation
- Updated some dev dependencies from the project
- Fixed issue #365 associated with a XSS vulnerability (`enableSecureText` most the set to true for this to be applied)
@gnbm gnbm mentioned this issue Jan 4, 2025
Merged
@gnbm gnbm added the bug Something isn't working label Jan 5, 2025
gnbm added a commit that referenced this issue Jan 6, 2025
@gnbm
Update dev dependencies and fix issue 365 (#381)
59b32a7 
- Fixed typo on `enableSecureText` description withing the documentation
- Updated some dev dependencies from the project
- Fixed issue #365 associated with a XSS vulnerability (`enableSecureText` most the set to true for this to be applied)
@gnbm gnbm closed this as completed Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@izambasiron @gnbm