Closed tvt-devteam closed 2 years ago
Bump - is there any info on this, or has this been looked at? How should we proceed with this problem?
@tvt-devteam We're supporting HTML rendering to allow a user control over how the UI gets rendered. Since the user is both in control of rendering / their Elasticsearch, I don't see how this is vulnerable to misuse.
Sanitizing the input here would have the side-effect of users not being able to use rich HTML, so this isn't an ideal solution imo.
Thanks for the answer @siddharthlatest
We looked into the component some more and indeed did find the renderItem
prop and was able to fix this problem on our end!
We are still thinking that use of this component is a bit risky because of it defaulting to use DangerouslySetInnerHTML
.
Maybe there could be a prop to enable/disable the use of this way of rendering, which would be disabled by default?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Affected Projects React
Library Version: 3.22.0
Describe the bug
User inputted HTML tags are not sanitized by ReactiveSearch. They are rendered using dangerouslySetInnerHTML, and will get inserted into the DOM as such.
To Reproduce
Steps to reproduce the behavior:
<img src onerror("alert('Testing');">
Expected behavior User inserted HTML tag should be either sanitized to not contain HTML tag characters, or just be rendered as a string.
Screenshots
BUG
INTENTED
Desktop (please complete the following information):
Smartphone (please complete the following information):
Has not been tested on mobile
Additional context
Link to component that is (most likely) causing the issue
https://github.com/appbaseio/reactivesearch/blob/13a29bab1db06f9ccf5964c625f693bc106baba0/packages/web/src/components/shared/Dropdown.js#L228
NOTE: This has been only slightly tested by us and might not be the best or even correct solution, but it got us some positive results.
Proposed solution:
Change:
into: