react-materials icon indicating copy to clipboard operation
react-materials copied to clipboard
verified publisher icon ice-lab

Fix for Cross-Site Scripting (XSS) Vulnerability

Open gtsp233 opened this issue 2 years ago • 0 comments

Fix for Cross-Site Scripting (XSS) Vulnerability

Hi, I've found a Cross-Site Scripting (XSS) vulnerability in the package @icedesign/richtext-renderer.

Vulnerability Details:

  • Severity: High/Critical
  • Description: There's a risk of malicious script execution when the html in controlled by an advorsary.

Steps to Reproduce(POC):

import RichtextRenderer from "@icedesign/richtext-renderer"
import React from "react";
import ReactDOM from "react-dom/client";

const root = ReactDOM.createRoot(document.getElementById("root"));

function App() {
  return (
    <RichtextRenderer html="<img src='' onerror=alert(1)" />
  );
}
root.render(<App />);

Suggested Fix or Mitigation: Sanitize the html before rendering it using dangerouslySetInnerHtml

I've already fixed and tested this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request to resolve this vulnerability. Thanks!

gtsp233 avatar Jan 22 '24 05:01 gtsp233