Open gabriel-cardoso opened 5 months ago
Hello,
Thank you for reporting this issue, although it would have been better to do it privately, so we can fix it ahead of publication. But don't worry:
So if someone wants to work on a PR, I can click the "Merge" button, but that's all I can do, as I don't have the hand into the release process, and main author seems to have abandonned this project, which I enjoin everyone reading these lines to do too.
Just to make it clear:
Best, ~Nicolas
It looks like it's possible to inject Javascript code with the
data-content
option.When
data-content="<img src=x onerror=console.log('hello')">
, theonerror
attribute is correctly removed from the generated HTML but it looks like the value is interpreted ("hello" is displayed in the JS console).Is it the expected behaviour ?
Here is a JSFiddle illustrating the issue