Potential XSS vulnerability.
RahulKhandelwal17 opened this issue · comments
We are doing R&D on form.io JS library, while doing research we found a potential XSS vulnerability.
The issue arises when specific text is entered during the addition of a component.
To replicate, drag and drop a component and paste the following code into the Tooltip text area:
<img src=x onerror=window.open('https://www.google.com/');>
Immediately after pasting, it triggers a new tab to open.
Additionally, once saved or if any further modification is made to the form, it causes redirections with each action.
JavaScript.Powered.Forms.and.Form.io.SDK.-.Google.Chrome.2024-01-04.17-00-32.mp4
Hey thanks @RahulKhandelwal17 - we're aware of this issue and it will be fixed in the next coming version.
Fixed by: #5392