New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS injection possible with data-content #2870
Comments
Hello, Thank you for reporting this issue, although it would have been better to do it privately, so we can fix it ahead of publication. But don't worry:
So if someone wants to work on a PR, I can click the "Merge" button, but that's all I can do, as I don't have the hand into the release process, and main author seems to have abandonned this project, which I enjoin everyone reading these lines to do too. Just to make it clear: Nobody will fix thisBest, |
It looks like it's possible to inject Javascript code with the
data-content
option.When
data-content="<img src=x onerror=console.log('hello')">
, theonerror
attribute is correctly removed from the generated HTML but it looks like the value is interpreted ("hello" is displayed in the JS console).Is it the expected behaviour ?
Here is a JSFiddle illustrating the issue
The text was updated successfully, but these errors were encountered: