search

formio / formio.js

JavaScript powered Forms with JSON Form Builder
https://formio.github.io/formio.js
MIT License
1.89k stars 1.06k forks source link

Potential XSS vulnerability. #5462

Open RahulKhandelwal17 opened 9 months ago

RahulKhandelwal17 commented 9 months ago

We are doing R&D on form.io JS library, while doing research we found a potential XSS vulnerability. The issue arises when specific text is entered during the addition of a component. To replicate, drag and drop a component and paste the following code into the Tooltip text area:

<img src=x onerror=window.open('https://www.google.com/');>

Immediately after pasting, it triggers a new tab to open. Additionally, once saved or if any further modification is made to the form, it causes redirections with each action.

https://github.com/formio/formio.js/assets/39265558/393afaf1-9219-489f-9688-4b571c393b62

brendanbond commented 9 months ago

Hey thanks @RahulKhandelwal17 - we're aware of this issue and it will be fixed in the next coming version.

lane-formio commented 9 months ago

Fixed by: https://github.com/formio/formio.js/pull/5392