Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Tooltip] Insecure HTML sanitize
See original GitHub issueBug description:
Tooltip allows HTML content which is sanitized for most common code injections such as script tags. Documentation: https://ng-bootstrap.github.io/#/components/tooltip/examples#tplcontent
However, anchor tags with and external href link are still allowed!
Tooltip should escape such markup as it can impact users security and privacy.
Link to minimally-working StackBlitz that reproduces the issue:
StackBlitz: https://stackblitz.com/edit/angular-bqmpjp?file=app/tooltip-tplcontent.html
Versions of Angular, ng-bootstrap and Bootstrap:
Angular: 7.0.0
ng-bootstrap: 4.0.0
Steps to reproduce:
- Click on the button to open tooltip
- Click on the tooltip to open external web site.
Issue Analytics
- State:
- Created 5 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
react-tooltip - UNPKG
Any user-supplied content must be sanitized, using a package like [sanitize-html](https://www.npmjs.com/package/sanitize-html).
Read more >Bugtraq: XSS in tooltip plugin of Zurb Foundation 5 - Seclists.org
From: Winni Neessen <winni () insecure so> ... This code snippet shows a simple HTML page with encoded HTML in a tooltip, utilizing...
Read more >Securing SPAs with Trusted Types - Auth0
An HTML sanitizer understands HTML. It knows which elements and attributes are safe and which are potentially dangerous. A sanitizer will ...
Read more >HTML Standard
1 Introduction; 2 Common infrastructure; 3 Semantics, structure, and APIs of HTML documents; 4 The elements of HTML; 5 Microdata; 6 User interaction ......
Read more >Security DO's and DON'Ts - Quasar Framework
Many developers have asked that the Loading plugin be able to display HTML, so this was enabled by default, but if you are...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Depending on what you mean by “bypassed” - notice that in your stackblitz renders
unsafe:javascript:alert('owned')which effectively prevents JS alert. This is exactly what happens with pure Angular (no ng-bootstrap involved): https://stackblitz.com/edit/angular-juy4wa?file=src%2Fapp%2Fapp.component.htmlAgain, we don’t do anything special here. What works (in the sense: " is sanitized") in Angular follows the same rules in ng-bootstrap.
@mboughaba I think that there is some confusion going on about how sanitiser works.
Angular sanitiser will not sanitise static attributes (those written) in templates, see: https://stackblitz.com/edit/angular-w4v9es?file=src%2Fapp%2Fapp.component.html
The reason for this is simple - if an author of a template puts some code that is executing JS than we are assuming that this is the intention of the template author. If we can’t trust template / application authors that we would have to assume that those people are potential attackers and there is nothing Angular can do about it.
Angular will sanitise_ output from expressions as demonstrated in your stackblitz.
I still hold my ground - tooltip is using standard Angular templates and its sanitiation rules are not different as compared to any other Angular template. This is how we want it to be.
Does it make sense?