XSS Vector
Closed this issue · 1 comments
dantman commented
generateNavItem
contains an XSS vector.
https://github.com/afeld/bootstrap-toc/blob/gh-pages/bootstrap-toc.js#L59-L64
generateNavItem: function(headingEl) {
var anchor = this.generateAnchor(headingEl);
var $heading = $(headingEl);
var text = $heading.data('toc-text') || $heading.text();
return $('<li><a href="#' + anchor + '">' + text + '</a></li>');
},
text
is concatenated directly into the html, this means user supplied headers can use escaped <>
and they will be turned into unescaped html. Additionally this means that headers that legitimately use some special html characters may end up ruined in the ToC.
Use jQuery's .text(...)
instead to set it, ideally href
would be set the same way.
afeld commented
Good catch, thanks so much!