Closed Livven closed 2 years ago
Hey. Extremely sorry about the 8 month late reply. but I've been a bit busy.
You're completely right I didn't have XSS in mind when I first designed this. As of version v3.0.2 I redesigned the component to use react children instead fo innerHTML so this should solve the issue you mentioned. Thanks for reporting this and sorry for ignoring it for such a long time.
Setting
placeholderRef.current.innerHTML
opens up users of this library to XSS in case they pass unsanitized user input to thetext
prop.It's a bit difficult to exploit since the element has
visibility: hidden
, but there are indeed ways to do so e.g. withaccesskey
, which I can confirm does work.Doesn't seem like there is any functional reason to prefer
innerHTML
overtextContent
here anyway.