Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sanitize template option for tooltip/popover plugins #28236

Merged
merged 3 commits into from
Feb 13, 2019

Conversation

Johann-S
Copy link
Member

@Johann-S Johann-S commented Feb 11, 2019

XSS was possible in the tooltip or popover data-template, data-content and data-title attributes.

Fixes CVE-2019-8331.

@Johann-S Johann-S requested a review from a team as a code owner February 11, 2019 21:00
js/src/tooltip.js Outdated Show resolved Hide resolved
js/src/tooltip.js Outdated Show resolved Hide resolved
site/docs/4.3/components/popovers.md Outdated Show resolved Hide resolved
js/src/tools/sanitizer.js Show resolved Hide resolved
js/src/tools/sanitizer.js Outdated Show resolved Hide resolved
js/src/tools/sanitizer.js Outdated Show resolved Hide resolved
js/src/tooltip.js Outdated Show resolved Hide resolved
@XhmikosR
Copy link
Member

@MarkCarver: you need to tone down the discussion.

@Johann-S
Copy link
Member Author

Johann-S commented Feb 12, 2019

Ok things I have to do:

  • Update the docs
  • Sanitize title and content if html is at true
  • Not allowing sanitize to be set by data attributes in HTML

And I think it'll be good, do not hesite @MarkCarver if you have any feedbacks, I think I heard you 👍

@Johann-S Johann-S force-pushed the v4-dev-jo-sanitize branch 2 times, most recently from ae35b82 to e780c0a Compare February 12, 2019 10:55
@markhalliwell
Copy link

I think the title option still needs to be sanitized, didn't see that in the latest code changes yet.

@markhalliwell
Copy link

  • Not allowing sanitize to be set by data attributes in HTML

Not allowing sanitize or whiteList to be set by data attributes in HTML

@Johann-S
Copy link
Member Author

The title is sanitized by the same methods which sanitized content

@markhalliwell
Copy link

Ah, you're right. Forgot that BS4 added setElementContent.

@Johann-S Johann-S force-pushed the v4-dev-jo-sanitize branch 3 times, most recently from 2f8ab60 to e47107e Compare February 12, 2019 13:23
@markhalliwell
Copy link

Just that tiny doc nit, but other than that I think this looks good!

@Johann-S++

Ty and amazing work!

@XhmikosR XhmikosR force-pushed the v4-dev-jo-sanitize branch 3 times, most recently from f62e91f to 1bcb21a Compare February 12, 2019 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants