html code in Vault secrets are executed

mulbc / vaultPass

A Chrome extension to leverage Hashicorp Vault as Credential Storage for teams

MIT License

97 stars 38 forks source link

html code in Vault secrets are executed #3

Closed mulbc closed 5 years ago

mulbc commented 5 years ago

When secrets in Vault contain HTML code - this is executed when displaying that information in the popup. This could be a security issue

ThibaultJanBeyer commented 5 years ago

That is easily fixed if you use .textContent instead of innerHTML. The former will not execute code but place it as text. Otherwise you would have to escape or sanatize the input before placing it.