ukrbublik/react-awesome-query-builder

XSS handling for antd select options

Opened this issue · 0 comments

alphazhe commented

Describe the bug
For antd component if I provider html elements as an option, they are getting executed. This is potential security vulnerability related to HTML injection or Cross-Site Scripting (XSS)

To Reproduce
Add "<img src=1 onerror=alert(1)>" as option in listValues and refresh
Screenshot 2023-11-26 at 4 56 07 PM
Screenshot 2023-11-26 at 4 55 45 PM

Expected behavior
Html elements should not get injected via options.