afeld/bootstrap-toc

XSS Vector

Closed this issue · 1 comments

generateNavItem contains an XSS vector.

https://github.com/afeld/bootstrap-toc/blob/gh-pages/bootstrap-toc.js#L59-L64

      generateNavItem: function(headingEl) {
        var anchor = this.generateAnchor(headingEl);
        var $heading = $(headingEl);
        var text = $heading.data('toc-text') || $heading.text();
        return $('<li><a href="#' + anchor + '">' + text + '</a></li>');
      },

text is concatenated directly into the html, this means user supplied headers can use escaped <> and they will be turned into unescaped html. Additionally this means that headers that legitimately use some special html characters may end up ruined in the ToC.

Use jQuery's .text(...) instead to set it, ideally href would be set the same way.

afeld commented

Good catch, thanks so much!