Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Script tag is not escaped when using :option="" in form-select

See original GitHub issue

I was trying to do some XSS in my project and I got some un-shown text. Which I found out that it was the cause of the script tag that was not escaped… So I tried doing a v-for loop inside an <option> tag and use {{ }} (Double brackets) to escaped the script tag. I would like to make a pull request sadly bootstrap_vue is using a render less components (I don’t really know but it’s using render function) which I don’t have much knowledge about. So I just submitted an Issue here.

by the way you can replicate the problem using the Live documentation on Bootstrap_vue site.

My browser: Opera Operating System: Fedora LXDE

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:2
  • Comments:17 (4 by maintainers)

github_iconTop GitHub Comments

Remigius2011commented, Jan 21, 2019

@pi0 i have already changed my code to use slots after discovering the vulnerabilities in my app. so actually it is up to you and the team to decide on whether to minimize changes in bootstrap-vue or the likelyhood of other developers to introduce vulnerabilities in her/his app (i would opt for the latter if i were to decide).

i agree with your point in the clarification letter that separating trusted from untrusted input is not (and cannot be) the task of bootstrap-vue (and hence any html sanitization - including removal of <script> tags, which is neither necessary nor sufficient - can be dropped), but providing separate channels for trusted (html) and untrusted (text) data is important, and it vould avoid confusion and wrong expectations if the respective properties were named and documented accordingly. but clearly, the two channels are already there: the text property for trusted html and the slot for untrusted text.

Remigius2011commented, Sep 6, 2018

imho: nope! app developers would then end up doubling their code for sanitizing all texts…

Seriously, see e.g. the description of v-html in the vuejs doc:

If you have a property called options.text you are alluding this is interpreted as text and hence passed to a text-like property (domProps.textContent in this case). Otherwise it should be called options.html (which could exist simultaneously and be passed into innerHTML. Otherwise, this should be clearly documented to avoid security risks (I assume more than 90% of app developers who pass in user input will not sanitize it and have a security vulnerability in their app). Please feel free to consult resources of the security folklore to make an informed decision - but at least add some documentation that the property options.text is not secure (i.e. treated as HTML - similar to the remarks for v-html) and explicit options should be used instead if the content is untrusted (e.g. select controls filled from database content and/or user input).

Read more comments on GitHub >

github_iconTop Results From Across the Web

Escaped Script tag inside a Select box option (Chrome)
In Chrome the select box won't open. When I open it in FireFox, the dropdownlist opens, but in Chrome it does not. Fiddle...
Read more >
Validation · Bootstrap v5.0
Provide valuable, actionable feedback to your users with HTML5 form validation, via browser default behaviors or custom styles and JavaScript.
Read more >
HTML DOM Select options Collection - W3Schools
Returns the <option> element from the collection with the specified id. Note: Returns null if the id does not exist. remove(index), Removes the...
Read more >
Form - 4.x - CakePHP Cookbook
Options for Select, Checkbox and Radio Controls; Using Collections to build ... Determines whether or not the contents of the textarea should be...
Read more >
JavaScript and jQuery by Examples
For the <select> element, we define a default no-selection <option> , with value of "" (empty string) and label of "Please select...". This...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found