Tokenize2 is a plugin which allows your users to select multiple items from a predefined list or ajax, using autocompletion as they type to find each item. You may have seen a similar type of text entry when filling in the recipients field sending messages on facebook or tags on tumblr.
Currently it is possible to execute custom javascript by injection. Either by unsanitised values passed from query strings or rogue information in dataSource. For example, if a value is set to "><script>alert('break')</script> it will execute and alert. In most circumstances it can be resolved client side by sanitising values before adding tokens, however with an external dataSource this becomes more awkward. It is simpler for all if Tokenize2 is able to prevent this.
This was also apparent in the previous version of tokenize. I resolved it previously by encoding/decoding all attributes and using jquery text instead of html for text values.
I have forked T2 and made these changes and will submit a PR shortly for your review.
Currently it is possible to execute custom javascript by injection. Either by unsanitised values passed from query strings or rogue information in dataSource. For example, if a value is set to
"><script>alert('break')</script>it will execute and alert. In most circumstances it can be resolved client side by sanitising values before adding tokens, however with an external dataSource this becomes more awkward. It is simpler for all if Tokenize2 is able to prevent this.This was also apparent in the previous version of tokenize. I resolved it previously by encoding/decoding all attributes and using jquery
textinstead ofhtmlfor text values.I have forked T2 and made these changes and will submit a PR shortly for your review.