Open gtsp233 opened 7 months ago
I've found a Cross-Site Scripting (XSS) vulnerability in this package
Vulnerability Details:
Steps to Reproduce: In a React.js project:
import React from "react"; import TextTransition, { presets } from "react-text-transition"; const App = () => { const [index, setIndex] = React.useState(0); React.useEffect(() => { const intervalId = setInterval(() => setIndex(index => index + 1), 3000 // every 3 seconds ); return () => clearTimeout(intervalId); }, []); return ( <h1> <TextTransition text={`<img src='' onerror=alert(1)></img>`} springConfig={presets.wobbly} /> </h1> ); }; export default App
Suggested Fix or Mitigation: It is best practice to sanitize the text before passing it to innerHTML. Please consider sanitizing it using popular sanitization libraries, e.g., dompurify, to prevent any XSS. Thanks!
dompurify
I've found a Cross-Site Scripting (XSS) vulnerability in this package
Vulnerability Details:
Steps to Reproduce: In a React.js project:
Suggested Fix or Mitigation: It is best practice to sanitize the text before passing it to innerHTML. Please consider sanitizing it using popular sanitization libraries, e.g.,
dompurify
, to prevent any XSS. Thanks!