Security issue: Client Potential Code Injection

[KinkiWu]

We use the bootstrap-slider plugin in our project. Curentlly our white box security report show an security issue about "Client Potential Code Injection" in bootstrap-slider.js (v11.0.2) Following is some sample code where security show have security issue. Dose bootstrap-slider has any new update? Thanks for your help.

700. this._state.value = this.options.value;
....
703. this._state.value = [this.options.value, this.options.max];
....
705. this._state.value = this.options.value;
....
786. this.hideTooltip = this._hideTooltip.bind(this);
....
806. this.sliderElem.addEventListener("mouseleave", this.hideTooltip,false);
....
811. this.sliderElem.addEventListener("touchend", this.hideTooltip, false);
....
816. this.handle1.addEventListener("blur", this.hideTooltip, false);
....
819. this.handle2.addEventListener("blur", this.hideTooltip, false);
....
824. this.handle1.addEventListener("touchend", this.hideTooltip,false);
828.this.handle2.addEventListener("touchend", this.hideTooltip, false);

• The application's createNewSlider method receives and dynamically executes user-controlled code using hideTooltip, at /11.0.2/bootstrap-slider.js. This could enable an attacker to inject and run arbitrary code.
• The attacker can inject the malicious payload into the victim's browser, via external input value. This is read by the browser in the createNewSlider method, at/11.0.2/bootstrap-slider.js. The browser then executes this code itself.

700. this._state.value = this.options.value;
....
703. this._state.value = [this.options.value,this.options.max];
....
705. this._state.value = this.options.value;
....
761. this.mousedown = this._mousedown.bind(this);
762. this.touchstart = this._touchstart.bind(this);
763. this.touchmove = this._touchmove.bind(this);
....
766. this.sliderElem.addEventListener("touchstart", this.touchstart, false);
767. this.sliderElem.addEventListener("touchmove", this.touchmove,false);
....
770. this.sliderElem.addEventListener("mousedown", this.mousedown, false);
....
773. this.resize = this._resize.bind(this);
774. window.addEventListener("resize", this.resize, false);
....
785. this.showTooltip =this._showTooltip.bind(this);
786. this.hideTooltip =this._hideTooltip.bind(this);
....
805. this.sliderElem.addEventListener("mouseenter", this.showTooltip, false);
....
809. this.sliderElem.addEventListener("touchstart", this.showTooltip, false);
810. this.sliderElem.addEventListener("touchmove", this.showTooltip, false);
....
815. this.handle1.addEventListener("focus", this.showTooltip, false);
....
818. this.handle2.addEventListener("focus", this.showTooltip, false);
....
822. this.handle1.addEventListener("touchstart", this.showTooltip,false);
823. this.handle1.addEventListener("touchmove", this.showTooltip,false);
....
826. this.handle2.addEventListener("touchstart", this.showTooltip,false);
827. this.handle2.addEventListener("touchmove", this.showTooltip,false);

• The application's createNewSlider method receives and dynamically executes user-controlled code using showTooltip, at /11.0.2/bootstrap-slider.js. This could enable an attacker to inject and run arbitrary code.
• The attacker can inject the malicious payload into the victim's browser, via external input value. This is read by the browser in the createNewSlider method, at /11.0.2/bootstrap-slider.js. The browser then executes this code itself.

705. this._state.value = this.options.value;
....
773. this.resize = this._resize.bind(this);
774. window.addEventListener("resize", this.resize, false);
....
785. this.showTooltip = this._showTooltip.bind(this);
....
805. this.sliderElem.addEventListener("mouseenter", this.showTooltip, false);

• The application's createNewSlider method receives and dynamically executes user-controlled code using resize, at/11.0.2/bootstrap-slider.js. This could enable an attacker to inject and run arbitrary code.
• The attacker can inject the malicious payload into the victim's browser, via external input value. This is read by the browser in the createNewSlider method, at /11.0.2/bootstrap-slider.js. The browser then executes this code itself.

705. this._state.value = this.options.value;
....
762. this.touchstart = this._touchstart.bind(this);
....
766. this.sliderElem.addEventListener("touchstart", this.touchstart, false);

• The application's createNewSlider method receives and dynamically executes user-controlled code using touchstart, at 11.0.2/bootstrap-slider.js. This could enable an attacker to inject and run arbitrary code.
• The attacker can inject the malicious payload into the victim's browser, via external input value. This is read by the browser in the createNewSlider method, at /11.0.2/bootstrap-slider.js. The browser then executes this code itself.

705. this._state.value = this.options.value;
....
761. this.mousedown = this._mousedown.bind(this);
....
770. this.sliderElem.addEventListener("mousedown", this.mousedown, false);

• The application's createNewSlider method receives and dynamically executes user-controlled code using mousedown, at /11.0.2/bootstrap-slider.js. This could enable an attacker to inject and run arbitrary code.
• The attacker can inject the malicious payload into the victim's browser, via external input value. This is read by the browser in the createNewSlider method, at /11.0.2/bootstrap-slider.js. The browser then executes this code itself.

[seiyria]

I'm not sure what service this is, but these reports are not very accurate. Regardless, if you're worried about XSS, validate your server inputs before binding them to the client.