twbs/bootstrap-sass

3.4.1 Tooltip sanitization breaks popover with tables

victornpb opened this issue · 3 comments

victornpb commented

Is there any reason why <table> is not whitelisted by the sanitizeHtml function?

bootstrap-sass/assets/javascripts/bootstrap.js

Line 1313 in b34765d

var DefaultWhitelist = {

This is was breaking change for us realeased as a patch.

Looking at the source code I found that I could set saniteze: false, but I don't see why it would be required to turn sanitization off completely just to be able to use tables. Are there any known vulnerabilities regarding tables that I'm not aware of?

$('#button').popover({
  html: true,
  content: function () {
    return `
        <div> Table below
            <table><tr><td>Foo:</td><td>bar</td></tr></table>
       </div>
    `;
  }
})

Minimal reproduction: https://jsfiddle.net/Victornpb/u1q7cjft/

Johann-S commented

Hi @victornpb,

We cannot whitelist every html elements, but you can whitelist just what you need, you'll find some information about how to do so here: https://getbootstrap.com/docs/3.4/javascript/#js-sanitizer

victornpb commented

My question is, is there any intrinsic security issue with tables that I'm not aware of? Because I also don't want to blindly whitelist something that I don't fully understand.

  • 👍1
Johann-S commented

You'll find everything in the OWASP website see: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE

  • 👍1