XSS Vulnerability "HIGH" due to default escapeHtml=false setting
nmg196 opened this issue · comments
The default behaviour of toastr is that html displayed is not encoded.
So this code causes a browser popup:
var msg = 'Hello <script>alert("Danger!")</sc' + 'ript>';
toastr.success("Example <strong>Message</strong> " + msg);
There is a setting which controls this called "escapeHtml". However because this 'fix' is opt-in rather than the default behaviour, it gets flagged in pen tests and security scans as an unfixed HIGH vulnerability.
See: https://security.snyk.io/vuln/SNYK-JS-TOASTR-2396430
Is there no way that escapeHtml = true is the default, and you have to opt in to use HTML instead? Otherwise this library will be permanently flagged as having an XSS vulnerability - category "HIGH", which means it can't be used on many projects.
This would have to be through a new release as current release 2.1.4 is regarded as vulnerable (HIGH) in security scanners:
Is this project dead? This issue has been ignored?
@peterlaws Yes it seems to be dead--the latest release was made in 2018
Anyone found a decent similar replacement?
Anyone found a decent similar replacement? [2]