Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't escape HTML entities #13

Open
spankykopita opened this issue Oct 2, 2018 · 3 comments
Open

Doesn't escape HTML entities #13

spankykopita opened this issue Oct 2, 2018 · 3 comments

Comments

@spankykopita
Copy link

jsonTree.js will print out HTML content to the page as is rather than escaping the HTML entities. This results in the HTML being inserted into the DOM and presented, and allows some types of custom Javascript execution. This constitutes an XSS vulnerability for any pages that render user-provided JSON using this library.

For example, on your demo page at http://summerstyle.github.io/jsonTreeViewer/ - provide the input {"test":"<img src='x' onerror='alert(1)'>"} and observe the alert.
@sseide sseide mentioned this issue Nov 5, 2019
Closed
@Heath123
Copy link

Is this abandoned? This is quite a serious problem that needs fixing

@KraXen72
Copy link

KraXen72 commented Jan 2, 2021

just .replaceAll() the < and > for their respective html entities in your code before parsing

@Heath123
Copy link

Heath123 commented Jan 2, 2021

just .replaceAll() the < and > for their respective html entities in your code before parsing

Well it's better to use a proper HTML escaper like https://www.npmjs.com/package/escape-html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spankykopita @Heath123 @KraXen72