Expected Behavior

Don’t execute html/javascript by default for Toasts, Tooltips and Autocomplete

Current Behavior

By default when you add dynamics contents like Toast, Tooltips and autocomplete you inject inputs data as HTML. I think all people who use MaterializeCss implement compontents like your examples.

It’s a bad practice and by default, your input data could be sanitize or use jquery.text(‘untrustData’) instead jquery.html(‘untrustData’) or innerHTML = ‘untrustData’.

Possible Solution

If you want allow HTML, why not but sanitize the html and don’t allow javascript. If the end user want allow HTML and javascript add a new configuration with a parameter like options : { allowUnsafeData: true }

Steps to Reproduce (for bugs)

Toast

var userId = '<IFRAME SRC="javascript:alert(document.cookie);"></IFRAME>'
M.toast({html: `userId: ${userId} fail`})

Tooltips

<a class="btn tooltipped" data-position="bottom" data-tooltip="<IFRAME SRC='javascript:alert(document.cookie);'></IFRAME></script>">Hover me!</a>

Autocomplete

$('input.autocomplete').autocomplete({
    data: {
	    "Apple": "\"><IFRAME SRC=\"javascript:alert(document.cookie);\"></IFRAME>",
	    "Microsoft": null,
	    "Google": 'https://placehold.it/250x250',
    }
});

Context

I’m agree about the developper need control his data before inject it in a third party library but sametime we forget to do it.

How i find this case :

1. (Client) Send javascript in a field
2. (Server) Server fail and return message with javascript
3. (Client) Reuse the message from the server and use the Toast
4. I have a reflected XSS

It’s my fault, I didn’t validate datas and I returned this script without sanitize. If by default your library don’t allow html, I will not find this behavior.

Your Environment

• Version used: 0.100.2 and 1.0.0