Giters

appbaseio / dejavu

The Missing Web UI for Elasticsearch: Import, browse and edit data with rich filters and query views, create search UIs visually.

Home Page:https://dejavu.reactivesearch.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

dejavu 3.5.3 have a XSS vulnerability

burpheart opened this issue · comments

commented

Describe the bug
I am trying to use dejavu, but when I try to use the search preview I find that the html tags in my search results are rendered by the browser and the js scripts in them are executed

Dejavu Version

Web 3.5.3

To Reproduce

  1. Importing data containing html tags to es
  2. Go to Search Preview
  3. Search result values are rendered as html

Expected behavior
Data is rendered as text

Screenshots
img
Desktop (please complete the following information):

  • OS: windows 10
  • Browser firefox
  • Version 97.0.1

Additional context
Add any other context about the problem here.

commented

@burpheart The ability to render HTML is important (to support highlighting use-case for example). That said, we've opted for using the dompurify package here to prevent XSS attacks. This is released as part of Dejavu v3.6.0.

commented

Can this vulnerability be assigned a CVE number?

@burpheart The ability to render HTML is important (to support highlighting use-case for example). That said, we've opted for using the dompurify package here to prevent XSS attacks. This is released as part of Dejavu v3.6.0.