Skip to content

fix(dropdown): possible XSS through select option text#2705

Merged
lubber-de merged 2 commits intofomantic:developfrom
lubber-de:selectXSS
Feb 19, 2023
Merged

fix(dropdown): possible XSS through select option text#2705
lubber-de merged 2 commits intofomantic:developfrom
lubber-de:selectXSS

Conversation

@lubber-de
Copy link
Copy Markdown
Member

@lubber-de lubber-de commented Feb 19, 2023
edited
Loading

Description

This PR fixes a possible XSS through an entity encoded select option text when converted into a FUI dropdown.
Even if preserveHTML: false would prevent this, a select tag cannot contain html at all and if it contains entity encoded HTML instead, it should not be reconverted into html.

The PR also fixes recreating the dropdown menu twice when no values are selected in a multiple dropdown

Thanks to @brian-codes for reporting

Testcase

  • Select the obvious evil dropdown entry

Broken

The alert message appears upon selection
https://jsfiddle.net/lubber/f5to49ew/3/

Fixed

All fine
https://jsfiddle.net/lubber/f5to49ew/5/

Closes

#2692 (reply in thread)
#2817

@lubber-de lubber-de added type/bug Any issue which is a bug or PR which fixes a bug lang/javascript Anything involving JavaScript state/awaiting-reviews Pull requests which are waiting for reviews type/security Anything related to security labels Feb 19, 2023
@lubber-de lubber-de added this to the 2.9.3 milestone Feb 19, 2023
@lubber-de
Copy link
Copy Markdown
Member Author

lubber-de commented Feb 19, 2023

@all-contributors please add @brian-codes for security

@allcontributors allcontributors bot mentioned this pull request Feb 19, 2023
Merged
@allcontributors
Copy link
Copy Markdown
Contributor

allcontributors bot commented Feb 19, 2023

@lubber-de

I've put up a pull request to add @brian-codes! 🎉

@lubber-de lubber-de merged commit be4492b into fomantic:develop Feb 19, 2023
@lubber-de lubber-de deleted the selectXSS branch February 19, 2023 19:16
@lubber-de lubber-de removed the state/awaiting-reviews Pull requests which are waiting for reviews label Feb 19, 2023
@lubber-de lubber-de mentioned this pull request Apr 11, 2023
Closed
@lubber-de lubber-de mentioned this pull request Jun 9, 2023
Closed
@mvorisek mvorisek mentioned this pull request Mar 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ko2in ko2in Awaiting requested review from ko2in

@ColinFrick ColinFrick Awaiting requested review from ColinFrick

@prudho prudho Awaiting requested review from prudho

@y0hami y0hami Awaiting requested review from y0hami

Assignees

No one assigned

Labels

lang/javascript Anything involving JavaScript type/bug Any issue which is a bug or PR which fixes a bug type/security Anything related to security

Projects

None yet

Milestone

2.9.3

Development

Successfully merging this pull request may close these issues.

1 participant

@lubber-de