XSS injection problem

[briedis]

There still persists an xss injection.

Just try to edit tests, and alerts are being thrown. You can see there is added an ESCAPED string, but it is unescaped and placed in DOM as HTML:

    beforeEach(function() {
        [..]
        for (var i = 1; i < 100; i++) {
            var $option = $('<option value="' + i + '">&lt;script&gt;alert(1);&lt;/script&gt;</option>');
            [..]
        }
        [..]
    });

[davidstutz]

Well, as I see it, this is a result of using .html instead of .text within the code. Do you have any suggestions of how to get it XSS save while being as flexible as before, i.e. stil being able to provide HTML code within an option?

[railapex]

I'd make .html vs. .text an option. Use .text by default so as to be XSS safe.

I don't think there's any way to make .html really safe from BS multiselect's point of view, or if there is it would be an unreasonable amount of extra code and work.

If somebody turns on .html mode, then it's their responsibility to sanitize the input to ensure it's simple markup only and no XSS is possibile.

[davidstutz]

Sounds like a really good option, thanks! Did some research and .text seems to be XSS safe.