search

AlaSQL / alasql

AlaSQL.js - JavaScript SQL database for browser and Node.js. Handles both traditional relational tables and nested JSON data (NoSQL). Export, store, and import data from localStorage, IndexedDB, or Excel.
http://alasql.org
MIT License
7.01k stars 650 forks source link

XSS Vulnerability #1810

Closed akhaneev closed 10 months ago

akhaneev commented 11 months ago

The following query causes script execution: RESTRICTED I guess the problem is with the quote escaping in the query. Also, this issue causes some queries with special characters to fail.

akhaneev commented 11 months ago

Hi @mathiasrw, Can you make this issue hidden to prevent it from being exploited?

mathiasrw commented 11 months ago

I cant hide the issue, but only maintainers and you can see the original payload now.

mathiasrw commented 11 months ago

Problem replicated. Fix implemented. One test is failing for reasons that are not clear at the moment.

mathiasrw commented 10 months ago

Fixed as part of v4.1.11, v3.1.1, v2.5.4 and v1.7.5.

v0.x has not been updated.