Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: security fix for cross-site scripting (xss) #611

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

mikegioia-ss
Copy link

The form library suffered of a XSS issue, which was caused by 2 minor issues inside the code, which made possible the usage of eval on unsanitized values (inside the "override" of parseJSON) and html parsing on a unsanitized AJAX response.

The 2 issues have been fixed in the following way:

  1. The eval inside the parseJSON function has been removed, while it's been added a error which arises when the default $.parseJSON function (on jquery) isn't declared (anyone with good intentions would simply add the jquery script on the page and all works correctly again).
  2. The unsanitized AJAX response was previously passed to parseHTML without any check, making possible inject additional HTML. I used a peculiarity of jquery to translate the HTML nodes evaluated into text nodes, which are equal to HTML encoded entities. It can can be verified seeing this:
    image

@mikegioia-ss
Copy link
Author

Greetings team -- this is an updated version of the wonderful fix from #586

I included a dist file, an updated version to 4.3.1, and everything I believe is needed for a proper update.

Please let me know if there is anything else I can do to help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants