search

nandi95 / vue-toastify

🔥 Simple, extendable, dependency free notification plugin. 🔥
https://vue-toastify.netlify.com/
MIT License
227 stars 12 forks source link

The body is vulerable to XSS #12

Closed tbhaxor closed 4 years ago

tbhaxor commented 4 years ago

Bug Report: The body content is not sanitized properly POC Payload: <img src=x onerror="alert(1)">

Steps to reproduce

  1. Visit the demo site. https://vue-toastify.netlify.com/
  2. Enter the POC Payload
  3. Click the Toastify button
nandi95 commented 4 years ago

Can you elaborate? I don't see how this is an issue. It is intentional to allow html so the developer may use svg. If they displaying content in the notification from their users then they should sanitize it themselves.

tbhaxor commented 4 years ago

Ok fine got your point :wink: