You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Cross-site Scripting in @spscommerce/ds-react
Critical severity
GitHub Reviewed
Published
Dec 15, 2023
to the GitHub Advisory Database
•
Updated Dec 15, 2023
XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could have been a stored XSS.
Patches
The code has been patched for version 7 of woodland. Users should upgrade to 7.17.4 or higher
Workarounds
This is not recommended. If you are not upgrading then you would need to sanitize your options yourself (including those currently stored in databases). This is not recommended.
Impact
XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could have been a stored XSS.
Patches
The code has been patched for version 7 of woodland. Users should upgrade to 7.17.4 or higher
Workarounds
This is not recommended. If you are not upgrading then you would need to sanitize your options yourself (including those currently stored in databases). This is not recommended.
References
https://github.com/SPSCommerce/woodland/blob/c49e999f97f3c0b56502859f4de1e8c6666dd74d/packages/ds-react/src/option-list/SpsOptionList.tsx#L559
References