fix xss bug on tooltip initialize #853
Conversation
|
example of bug (mouse over the image to trigger): |
|
guess the possibility to accept raw html could be made optional, but by default I think is too risky for this kind of bugs. Html could be allowed only if user does not have direct control of the input fed to tooltip component |
|
I understand the concern. |
|
Did you see example? http://jsfiddle.net/tNm8d/ |
|
I would be pleased even if only with a configuration option that triggers this patch, even if off by default. I would of course prefer on by default as a security measure, but I don't know what opposition that would face. I was honestly surprised to find a security hole in this library and expected that our site was merely out of date or misconfigured. |
|
Off topic, but is it possible to patch a pull request (eg, to add a setting)? With git I would just checkout the master repo, pull and merge the commit, add another commit, and request a pull from there - does this work in github? I can't seem to figure out how the ui supports it, and I've spent about as much time as I can justify (to my boss) on this. |
|
You need to fork the project first, then do your patch, then do a pull request. |
|
Read all the comments, and just have one short one to add of my own. Because this issue has been reported as a security issue by IBM IT, it makes it difficult for some people (e.g., me) to get permission to use it. So, please, pull the patch into the release, provide whatever options to make people happy, but I would love to see the security issue closed. Here's the link: http://xforce.iss.net/xforce/xfdb/78122 |
Tooltip doesn't sanitize html when initialized, even though the html passed is already sanitized.
I found a patch from here, but probably a pull request was never done.
OtaK/foundation@eb68779