WinterCore / react-text-transition

Animate your text changes
MIT License
613 stars 26 forks source link

Fix potential XSS vector #35

Closed Livven closed 2 years ago

Livven commented 3 years ago

Setting placeholderRef.current.innerHTML opens up users of this library to XSS in case they pass unsanitized user input to the text prop.

It's a bit difficult to exploit since the element has visibility: hidden, but there are indeed ways to do so e.g. with accesskey, which I can confirm does work.

Doesn't seem like there is any functional reason to prefer innerHTML over textContent here anyway.

WinterCore commented 2 years ago

Hey. Extremely sorry about the 8 month late reply. but I've been a bit busy.

You're completely right I didn't have XSS in mind when I first designed this. As of version v3.0.2 I redesigned the component to use react children instead fo innerHTML so this should solve the issue you mentioned. Thanks for reporting this and sorry for ignoring it for such a long time.