Xss vulnerable
reno1979 opened this issue · 3 comments
reno1979 commented
The util.createElement method uses the innerHTML method.
Therefor I can execute a script like this :
Input value for a taggable selectr instance :
<img srx=‘x’onerror=‘alert(1)’>`
I’ll try to create a pull request as soon as possible.
See
https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML
For more information
reno1979 commented
see latest pull request update
josdejong commented
Good to see the issue is already on the radar 👍
I got it reported via https://app.snyk.io/test/npm/mobius1-selectr/2.4.8
josdejong commented
🎉