3.4.1 Tooltip sanitization breaks popover with tables
victornpb opened this issue · 3 comments
Is there any reason why <table>
is not whitelisted by the sanitizeHtml function?
bootstrap-sass/assets/javascripts/bootstrap.js
Line 1313 in b34765d
This is was breaking change for us realeased as a patch.
Looking at the source code I found that I could set saniteze: false
, but I don't see why it would be required to turn sanitization off completely just to be able to use tables. Are there any known vulnerabilities regarding tables that I'm not aware of?
$('#button').popover({
html: true,
content: function () {
return `
<div> Table below
<table><tr><td>Foo:</td><td>bar</td></tr></table>
</div>
`;
}
})
Minimal reproduction: https://jsfiddle.net/Victornpb/u1q7cjft/
Hi @victornpb,
We cannot whitelist every html elements, but you can whitelist just what you need, you'll find some information about how to do so here: https://getbootstrap.com/docs/3.4/javascript/#js-sanitizer
My question is, is there any intrinsic security issue with tables
that I'm not aware of? Because I also don't want to blindly whitelist something that I don't fully understand.
You'll find everything in the OWASP website see: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE