XSS injection possible with data-content

[gabriel-cardoso]

It looks like it's possible to inject Javascript code with the data-content option.

When data-content="<img src=x onerror=console.log('hello')">, the onerror attribute is correctly removed from the generated HTML but it looks like the value is interpreted ("hello" is displayed in the JS console).

Is it the expected behaviour ?

<html>
<head>
    <title>XSS Injection</title>
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.8/css/bootstrap-select.css">
  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
  <script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
  <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.bundle.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.18/js/bootstrap-select.js"></script>
</head>
<body>
  <select class="selectpicker">
    <option data-content="<img src='x' onerror='console.log(9)'>">hello</option>
  </select>
</body>
</html>

Here is a JSFiddle illustrating the issue

[NicolasCARPi]

Hello,

Thank you for reporting this issue, although it would have been better to do it privately, so we can fix it ahead of publication. But don't worry:

1. There are no SECURITY.md you could follow
2. There are no stable release for the past 4 years
3. There are no active contributors (see https://github.com/snapappointments/bootstrap-select/issues/2228#issuecomment-1236207188)

So if someone wants to work on a PR, I can click the "Merge" button, but that's all I can do, as I don't have the hand into the release process, and main author seems to have abandonned this project, which I enjoin everyone reading these lines to do too.

Just to make it clear:

Nobody will fix this

Best, ~Nicolas