Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Dropdown] Security Vulnerability with data-text

See original GitHub issue

When adding the data-text option to dropdown item’s, when the user clicks on them the contents are executed. Here is a simple JSFiddle with two dropdowns: http://jsfiddle.net/daneren2005/7x4jqbe7/2/. The top one uses data-text and you will get a popup XSS when you select the only option. The second does not use it and isn’t vulnerable.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:10 (1 by maintainers)

github_iconTop GitHub Comments

2reactions
lubber-decommented, Oct 6, 2022

We implemented data sanitizing and added a security page to the docs https://fomantic-ui.com/modules/dropdown.html#/security

2reactions
jlukiccommented, Oct 7, 2018

This is not a security issue, removing html parsing is already a setting.

$('.ui.dropdown.selection').dropdown({preserveHTML: false});

No alert in this jsfiddle fork http://jsfiddle.net/15pw0Lku/

It’s up to implementors to decide if they want to prevent this behavior. This can also be solved with CSP.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cross-site Scripting (XSS) Vulnerability in the semantic-ui ...
Semantic-UI is vulnerable to cross-site scripting (XSS) attacks. When adding the `data-text` option as a dropdown item, arbitrary script can be executed ...
Read more >
Cross Site Scripting (XSS) - OWASP Foundation
XSS flaws can be difficult to identify and remove from a web application. The best way to find flaws is to perform a...
Read more >
appsec - Securing dropdown boxes
Any input could mean dropdown boxes or other data you would think is ... not vulnerable for cross site scripting and other attack...
Read more >
Cross-Site Scripting (XSS) Cheat Sheet | Web Security Academy
This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the ......
Read more >
CVE security vulnerability database. Security vulnerabilities, exploits ...
Multiple SQL injection vulnerabilities in Joker Board (aka JBoard) 2.0 and earlier allow remote attackers to execute arbitrary SQL commands via (1) core/select....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[build] gulp build command not working

Next page

SyntaxError: Invalid regular expression: /.{1,0}/: numbers out of order in {} quantifier