Execution of script in message

Question

Execution of script in message

vvnsk opened this issue 5 years ago · comments

Sai Krishna Vinnakota commented 5 years ago

Steps to Reproduce:
Send javascript in message

Expected Result:
javascript code should be considered as string

Actual Result:
Code is being executed.

Sai Krishna Vinnakota · Answer 1 · Wed Oct 16 2019 03:54:36 GMT+0800 (China Standard Time)

Please accept the PR to fix the below issue 3e70ccf

Karl-Henry Martinsson · Answer 2 · Thu Dec 05 2019 05:44:38 GMT+0800 (China Standard Time)

It is up to you as developer to santize the data you are sending to a plugin/function. Since you are the one creating the application, you should clean any data before you pass it on.

Sai Krishna Vinnakota · Answer 3 · Mon Jan 20 2020 23:32:23 GMT+0800 (China Standard Time)

Agreed, Although i feel the necessity to educate the developers to sanitize, By mentioning the same in Read me, or handling the same in the plugin/function.
The issue is a potential threat to cross site scripting and I don't want developers using the Plugin to figure out the same the hard way.

Sam Sanoop · Answer 4 · Thu Jan 23 2020 21:46:22 GMT+0800 (China Standard Time)

Hey @vvnsk I think there is already an option to escape HTML (https://github.com/CodeSeven/toastr#escape-html-characters) did you try this?

Sai Krishna Vinnakota · Answer 5 · Sat Jan 25 2020 08:41:49 GMT+0800 (China Standard Time)

@snoopysecurity I haven't tried that, but that seems to be the solution to my concern. Thank you very much!