react-text-transition icon indicating copy to clipboard operation
react-text-transition copied to clipboard
verified publisher icon WinterCore

XSS vulnerability in [email protected]

Open gtsp233 opened this issue 2 years ago • 0 comments

I've found a Cross-Site Scripting (XSS) vulnerability in this package

Vulnerability Details:

  • Severity: High/Critical
  • Description: There's a risk of malicious script execution when an adversory controls the text.

Steps to Reproduce: In a React.js project:

import React from "react";
import TextTransition, { presets } from "react-text-transition";

const App = () => {
    const [index, setIndex] = React.useState(0);

    React.useEffect(() => {
        const intervalId = setInterval(() =>
            setIndex(index => index + 1),
            3000 // every 3 seconds
        );
        return () => clearTimeout(intervalId);
    }, []);

    return (
        <h1>
            <TextTransition
                text={`<img src='' onerror=alert(1)></img>`}
                springConfig={presets.wobbly}
            />
        </h1>
    );
};

export default App

Suggested Fix or Mitigation: It is best practice to sanitize the text before passing it to innerHTML. Please consider sanitizing it using popular sanitization libraries, e.g., dompurify, to prevent any XSS. Thanks!

gtsp233 avatar Jan 23 '24 08:01 gtsp233