Core: Added escapeHtml option to avoid XSS attacks via showLabel method #2462
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks @volkanceylan |
|
@volkanceylan Hey there, did this fix get added to a new release? According to Sonatype vulnerability listing "sonatype-2023-0681", which links to this page, the vulnerability has not been addressed in a new release since the current one version 1.19.5 is still affected correct? |
|
I don't think they released it yet, and it is not on by default so just updating won't resolve the issue. |
|
@bholmesACR see 1.20.0 |
|
@bytestream Thanks! Also do we have to turn on/enable something like @volkanceylan says even after updating to remediate the risk? Just want to confirm |
|
@bholmesACR You have to set |
This was referenced Sep 8, 2024
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a new constructor option "escapeHtml".
There is a script injection risk if the messages set via $.validator.messages etc. are originating from a user localizable dictionary, like a translation screen as the showLabel function uses .html() to set the label content. Even in cases where that is not an issue, if the message itself contains a format placeholder like "{0} is not valid value for this field", as the value passed to {0} is a user input, it still provides an opportunity for script injection attacks albeit at a lower risk.