Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential XSS vulnerability. #5462

Open
RahulKhandelwal17 opened this issue Jan 18, 2024 · 2 comments
Open

Potential XSS vulnerability. #5462

RahulKhandelwal17 opened this issue Jan 18, 2024 · 2 comments

Comments

@RahulKhandelwal17
Copy link

We are doing R&D on form.io JS library, while doing research we found a potential XSS vulnerability.
The issue arises when specific text is entered during the addition of a component.
To replicate, drag and drop a component and paste the following code into the Tooltip text area:

<img src=x onerror=window.open('https://www.google.com/');>

Immediately after pasting, it triggers a new tab to open.
Additionally, once saved or if any further modification is made to the form, it causes redirections with each action.

JavaScript.Powered.Forms.and.Form.io.SDK.-.Google.Chrome.2024-01-04.17-00-32.mp4
@brendanbond
Copy link
Contributor

Hey thanks @RahulKhandelwal17 - we're aware of this issue and it will be fixed in the next coming version.

@lane-formio
Copy link
Contributor

Fixed by: #5392

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brendanbond @RahulKhandelwal17 @lane-formio