Possibility for XSS injection (duplicate of #373)

rob-balfre / svelte-select

Svelte Select. A select component for Svelte

https://svelte-select-examples.vercel.app

Other

1.27k stars 180 forks source link

Possibility for XSS injection (duplicate of #373) #433

Closed quasarchimaere closed 2 years ago

quasarchimaere commented 2 years ago

since repro steps have been posted, and the issue is still present wouldnt we want to re-open it?

373 "Possibility for XSS injection"

rob-balfre commented 2 years ago

Ok, I've found a way for a user to inject XSS...

https://svelte.dev/repl/d6511a1329ba4f7996c83cbc0b73951e?version=3.49.0

rob-balfre commented 2 years ago

Fixed in v16

quasarchimaere commented 2 years ago

@rob-balfre not to be a stickler here, but can you please explain to me why the fix is adding an extra function that strips any (possibly) bad content from the option, rather than just removing the @html parameter that circumvents the built in svelte escaping?

rob-balfre commented 2 years ago

Because I use it ☺️

rob-balfre / svelte-select

Possibility for XSS injection (duplicate of #373) #433

373 "Possibility for XSS injection"