Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Script tag is not escaped when using :option="" in form-select
See original GitHub issueI was trying to do some XSS in my project and I got some un-shown text. Which I found out that it was the cause of the script tag that was not escaped… So I tried doing a v-for loop inside an <option> tag and use
{{ }} (Double brackets) to escaped the script tag. I would like to make a pull request sadly bootstrap_vue is using a render less components (I don’t really know but it’s using render function) which I don’t have much knowledge about. So I just submitted an Issue here.
by the way you can replicate the problem using the Live documentation on Bootstrap_vue site.
My browser: Opera Operating System: Fedora LXDE
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:17 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@pi0 i have already changed my code to use slots after discovering the vulnerabilities in my app. so actually it is up to you and the team to decide on whether to minimize changes in
bootstrap-vueor the likelyhood of other developers to introduce vulnerabilities in her/his app (i would opt for the latter if i were to decide).i agree with your point in the clarification letter that separating trusted from untrusted input is not (and cannot be) the task of
bootstrap-vue(and hence any html sanitization - including removal of<script>tags, which is neither necessary nor sufficient - can be dropped), but providing separate channels for trusted (html) and untrusted (text) data is important, and it vould avoid confusion and wrong expectations if the respective properties were named and documented accordingly. but clearly, the two channels are already there: thetextproperty for trusted html and the slot for untrusted text.imho: nope! app developers would then end up doubling their code for sanitizing all texts…
Seriously, see e.g. the description of v-html in the vuejs doc: https://vuejs.org/v2/guide/syntax.html#Raw-HTML
If you have a property called
options.textyou are alluding this is interpreted as text and hence passed to a text-like property (domProps.textContentin this case). Otherwise it should be calledoptions.html(which could exist simultaneously and be passed intoinnerHTML. Otherwise, this should be clearly documented to avoid security risks (I assume more than 90% of app developers who pass in user input will not sanitize it and have a security vulnerability in their app). Please feel free to consult resources of the security folklore to make an informed decision - but at least add some documentation that the propertyoptions.textis not secure (i.e. treated as HTML - similar to the remarks forv-html) and explicit options should be used instead if the content is untrusted (e.g.selectcontrols filled from database content and/or user input).