ng2-tree rename is prone to XSS

valor-software / ng2-tree

Angular tree component

http://valor-software.com/ng2-tree/index.html

MIT License

348 stars 190 forks source link

Open sfilipi opened 6 years ago

sfilipi commented 6 years ago

Enable the right menu on ng2-tree. Right click on a node -> Rename and enter the following as the new nodes name:

<img onerror="alert('hi')" src="/">

Notice the page runs the script.

The user input to the node name should be sanitized before use. ng2treexss

rychkog commented 6 years ago

@sfilipi Thanks, for that - will do a fix ASAP!