-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Doesn't escape HTML entities #13
Comments
Is this abandoned? This is quite a serious problem that needs fixing |
just .replaceAll() the |
Well it's better to use a proper HTML escaper like https://www.npmjs.com/package/escape-html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jsonTree.js will print out HTML content to the page as is rather than escaping the HTML entities. This results in the HTML being inserted into the DOM and presented, and allows some types of custom Javascript execution. This constitutes an XSS vulnerability for any pages that render user-provided JSON using this library.
For example, on your demo page at http://summerstyle.github.io/jsonTreeViewer/ - provide the input
{"test":"<img src='x' onerror='alert(1)'>"}
and observe the alert.The text was updated successfully, but these errors were encountered: