Injecting Script via input fields

[Carsten-St]

Describe the Bug

Hello all, I currently have the problem that scripts can be injected in the input fields and are executed. This poses a security risk for me (Cross Site Scripting). I have integrated the BPMN Properties Panel as described in your documentation. However, I don't want to rule out that the problem is on my side and not yours. I would appreciate feedback and help. Kind regards

Steps to Reproduce

1. Open the BPMN Properties Panel
2. Select an input field and inject some script like: <script>alert("HelloWorld!");</script>
3. Click on a random position on the editor display, so the input field loses its focus
4. The script is executed as shown in the images below.

Expected Behavior

• [ ] All input fields are sanitized, so that script is not executed.

Environment

• Chrome Version 90.0.4430.93
• Node Version v14.16.1
• bpmn-js-properties-panel version 0.39.0 --> I have found a similiar issue #307 , but it is closed since 0.31.0 relase. Unfortunately, it does not seem to cover script injection respectively does not apply to my context.

[pinussilvestrus]

Hi, thanks for reporting!

As you already mentioned, we already tackled sanitization in the past. I was not able to reproduce the problem you're describing inside this basic CodeSandbox.

Can you maybe taking this one as a starting point and try to describe, how it would be reproducible? Maybe it really depends on a single input.

[Carsten-St]

Thank you very much for your quick reply. We compared our and your code states from the sandbox and indeed found an error in rendering on our side.