XSS Vulnerability "HIGH" due to default escapeHtml=false setting

Question

XSS Vulnerability "HIGH" due to default escapeHtml=false setting

nmg196 opened this issue 2 years ago · comments

The default behaviour of toastr is that html displayed is not encoded.

So this code causes a browser popup:

var msg = 'Hello <script>alert("Danger!")</sc' + 'ript>';
toastr.success("Example <strong>Message</strong> " + msg);

There is a setting which controls this called "escapeHtml". However because this 'fix' is opt-in rather than the default behaviour, it gets flagged in pen tests and security scans as an unfixed HIGH vulnerability.
See: https://security.snyk.io/vuln/SNYK-JS-TOASTR-2396430

Is there no way that escapeHtml = true is the default, and you have to opt in to use HTML instead? Otherwise this library will be permanently flagged as having an XSS vulnerability - category "HIGH", which means it can't be used on many projects.

This would have to be through a new release as current release 2.1.4 is regarded as vulnerable (HIGH) in security scanners:

Peter Laws · Answer 1 · Tue Oct 04 2022 22:35:27 GMT+0800 (China Standard Time)

Is this project dead? This issue has been ignored?

Jacob · Answer 2 · Sun Oct 16 2022 23:08:06 GMT+0800 (China Standard Time)

@peterlaws Yes it seems to be dead--the latest release was made in 2018

Peter Laws · Answer 3 · Tue Oct 18 2022 19:50:52 GMT+0800 (China Standard Time)

Anyone found a decent similar replacement?

Lucas · Answer 4 · Sat Oct 22 2022 05:43:42 GMT+0800 (China Standard Time)

Anyone found a decent similar replacement? [2]

Nkazimulo J Mvundla · Answer 5 · Mon Jun 19 2023 03:22:18 GMT+0800 (China Standard Time)

yes, https://apvarun.github.io/toastify-js/#