Skip to content

XSS injection possible with data-content #2870

Description

@gabriel-cardoso

It looks like it's possible to inject Javascript code with the data-content option.

When data-content="<img src=x onerror=console.log('hello')">, the onerror attribute is correctly removed from the generated HTML but it looks like the value is interpreted ("hello" is displayed in the JS console).

Is it the expected behaviour ?

<html>
<head>
    <title>XSS Injection</title>
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.8/css/bootstrap-select.css">
  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
  <script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
  <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.bundle.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.18/js/bootstrap-select.js"></script>
</head>
<body>
  <select class="selectpicker">
    <option data-content="<img src='x' onerror='console.log(9)'>">hello</option>
  </select>
</body>
</html>

Here is a JSFiddle illustrating the issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions