This repository was archived by the owner on Oct 2, 2019. It is now read-only.
XSS. highlight filter takes text and treats it as html without encodingΒ #2048
Open
Description
The highlight filter is supposed to be used with ng-bind-html but does not perform any html encoding on the input. When items in a select are user generated, there is a potential for malicious behaviour.
For example if a user enters a name as Bob <img src="//porn.xxx/nsfw.gif"> Smith The image will be rendered in the select dropdown
The plnkr shows two ui-selects, one has the problematic highlight, the uses a fixed version of highlight
http://plnkr.co/edit/PR1IndT4oXZCm4UrnrNo?p=preview
The bug is in the highlight filter of in ui-select/common.js in 0.19.8