Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible XSS injection #191

Closed
cwinland opened this issue Mar 14, 2023 · 2 comments
Closed

Possible XSS injection #191

cwinland opened this issue Mar 14, 2023 · 2 comments

Comments

@cwinland
Copy link
Contributor

cwinland commented Mar 14, 2023
edited
Loading

DragnDrop.ts (BuildDragEventHandler function) has a place that could possibly be XSS injection.

if (script) {
const scriptHandler = Function(`return ${script}`)()

Is it possible to do this a bit differently?

I could possibly add something to my PR #190
@Tewr
Copy link
Owner

Tewr commented Mar 14, 2023

Hello, I don't see how this can be used for injection, could you show me?

As documented here, user provided data/scripts must not be used as arguments here, that would indeed pose a risk for XSS. The idea is simply to provide extensibility.

@cwinland
Copy link
Contributor Author

Hi, yes very good point. As long as the developer doesn't use data from user provided information, it should be fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Tewr @cwinland