Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Make users aware of risks when implementing autoComplete

See original GitHub issue

Hello guys, thank you for your contribution, however I suggest you make the users aware that they have to work on protecting their search form from XFS & XSS attacks… e.g.

Goto your own example form https://tarekraafat.github.io/autoComplete.js/demo/ and search literally for:

<a href="javascript:alert('Hi')">hi</a>

then search literally for:

<iframe src="https://tarekraafat.github.io/autoComplete.js/#/" height="200" width="300" title="Iframe Example"></iframe>

Malicious users may find autoComplete a source of vulnerable clients or victims for attacking others or right on them.

My suggestion is to make users aware of such risks before they go into production. To check their code for Cross-Frame Scripting and Cross-Site Scripting vulnerabilities…

I am not saying you are super wrong, no, your contribution is beautiful, yet there are less experienced users out there probably implementing your code.

Cheers.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
TarekRaafatcommented, Jul 7, 2021

Hello @needlag,

I totally agree with you on your point of spreading awareness of the possible risks.

That’s why I have added to the library’s docs under the Usage section a security alert on this specific risk along with some recommendations, and please feel free to check it out and share your feedback on it if you’d like to.

Thank you for raising such a critical point, and have a nice day! 😃

0reactions
TarekRaafatcommented, Jul 7, 2021

@folknor, good catch as usual!

I’ve fixed it and publishing it now, and I’ve added escape-goat to the references as well.

Thanks man, and have a nice day! 😃

Read more comments on GitHub >

github_iconTop Results From Across the Web

The Impact of the Autocomplete Feature on Web Security - Invicti
The HTML autocomplete feature improves user experience but contains security risks. This blog post describes the technical elements of the ...
Read more >
Autocomplete password risks - Revision
Autocomplete password risks · Why auto-fill passwords are so dangerous · Using auto-fill to track users · One simple security tip for today....
Read more >
Mitigating Risks of Using the Autofill Feature in Outlook
Find out how to mitigate the risks of using the autofill feature in Outlook with our article at Sperry Software! We'll tell you...
Read more >
Considering the Impact of Autocomplete on Users - aiPav
Nearly every implementation of autocomplete is useful, ... Autocomplete has a powerful impact on the searches users make and their opinions.
Read more >
Security risks with autocomplete - Super User
I've heard of websites that have autocomplete fields that aren't visible, so extra information is captured when a user uses autocomplete (ex. a ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Multiple keys: Return matches from both keys?

Next page

Highlight (goTo) the first item on each keystroke