Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug]: The bx--slider-text-input input field accepts invalid inputs including certain types of script injections
See original GitHub issuePackage
carbon-components
Browser
Firefox ESR
Package version
10.17
Description
The bx--slider-text-input input field stores/caches invalid inputs including certain types of script injections
CodeSandbox example
https://codesandbox.io/s/frosty-hamilton-so9n8
Steps to reproduce
- In the attached code sandbox enter an alphanumeric string that looks like scientific notation but isn’t, such as “6y7”, into the input field
- Hit ENTER on your keyboard
🪲 BUG - The invalid input is stored / cached🪲
- In the attached code sandbox field paste the following injection that contains an esoteric attack vector into the input field
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> - Hit ENTER on your keyboard
🪲 BUG - The invalid inputs are stored / cached🪲
Code of Conduct
- I agree to follow this project’s Code of Conduct
- I checked the current issues for duplicate problems
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Preventing HTML and Script injections in Javascript
What I'm really asking here is if there is a standard method of avoiding both HTML and Script injection in Javascript. Everyone seems...
Read more >Types of SQL Injection Attacks
"SQL injection is a code injection technique that exploits a security ... dynamic SQL statement, error revealation, and the insufficient input validation.
Read more >SQL Injection Testing Tutorial (Example and Prevention of ...
I'm testing a web application whose links connect to the developer database. When entering values with single quote into the input fields, a ......
Read more >Common SQL Injection Attacks | Pentest-Tools.com
SQL Injection attacks allow hackers to steal sensitive information from databases. Here are some common SQL Injection attack examples and techniques.
Read more >SQL Injection Tutorial - w3resource
If an incorrect query is sent to a database, some application servers return the default error message and the attacker takes the advantage...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@brnnnfx Could you be more specific about what you expect the behavior to be?
In chrome, the only characters that I am allowed to type in the input field are ones that are part of valid numbers (including scientific notation). Pasting is similar in that only valid number characters will be pasted into the input. All other characters in the paste are discarded.
In Firefox, the behavior is slightly different in that you can type any character into the input box itself, but when you go to retrieve the
valueof the input element, the value will be""if the input text is not a valid number. Here’s a relevant Firefox issue discussing that behavior and the justification of it: https://bugzilla.mozilla.org/show_bug.cgi?id=1398528rel: https://github.com/carbon-design-system/carbon/issues/7039