Topic: Select component XSS Cross Site Scripting issue

development.apployed@bcs.nl priority asked 1 year ago


Expected behavior

If an option value in the select is written as Html encode such as: <img src=# onerror=alert('xss')> By selecting the value, it should select the value and not execute the html code!

Actual behavior

By selecting the value, the html will be exectuted and you will get the alert('xss') shown on the page

Resources (screenshots, code snippets etc.)

<select class="select" data-mdb-filter="true"> <option value="1">&lt;img src=# onerror=alert('xss')&gt;</option> <option value="2">Two</option> <option value="3">Three</option> <option value="4">Four</option> <option value="5">Five</option> <option value="6">Six</option> <option value="7">Seven</option> <option value="8">Eight</option> <option value="9">Nine</option> <option value="10">Ten</option> </select>



How long do you think it will take to fix this issue and in which version will it be fixed?

Thank you in advance for your quick answer.


Kamila Pieńkowska staff commented 1 year ago

We do not provide dates or content for future releases beforehand.


development.apployed@bcs.nl priority commented 1 year ago

Hi,

I see that there is a new release 6.4.1 but I don't see the fix for the crossed-site issue.

Did you maybe forget to mention it and is it maybe fixed in this version?

kind regards


Grzegorz Bujański staff commented 1 year ago

Unfortunately, this release did not fix it. We will try to fix it as soon as possible


Mateusz Lazaru staff answered 1 year ago


Thanks for the report, we will fix it soon.



Please insert min. 20 characters.

FREE CONSULTATION

Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.

Status

Answered

Specification of the issue

  • ForumUser: Priority
  • Premium support: Yes
  • Technology: MDB Standard
  • MDB Version: MDB5 6.3.1
  • Device: All
  • Browser: All
  • OS: All
  • Provided sample code: No
  • Provided link: No