Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork2.8k
Core: Added escapeHtml option to avoid XSS attacks via showLabel method#2462
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Core: Added escapeHtml option to avoid XSS attacks via showLabel method#2462
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Thanks@volkanceylan |
bholmesACR commentedOct 9, 2023
@volkanceylan Hey there, did this fix get added to a new release? According to Sonatype vulnerability listing "sonatype-2023-0681", which links to this page, the vulnerability has not been addressed in a new release since the current one version 1.19.5 is still affected correct? |
I don't think they released it yet, and it is not on by default so just updating won't resolve the issue. |
bholmesACR commentedOct 10, 2023
@bytestream Thanks! Also do we have to turn on/enable something like@volkanceylan says even after updating to remediate the risk? Just want to confirm |
@bholmesACR You have to set |
This adds a new constructor option "escapeHtml".
There is a script injection risk if the messages set via $.validator.messages etc. are originating from a user localizable dictionary, like a translation screen as the showLabel function uses .html() to set the label content. Even in cases where that is not an issue, if the message itself contains a format placeholder like "{0} is not valid value for this field", as the value passed to {0} is a user input, it still provides an opportunity for script injection attacks albeit at a lower risk.