Topic: Select component XSS Cross Site Scripting issue
Expected behavior
If an option value in the select is written as Html encode such as: <img src=# onerror=alert('xss')> By selecting the value, it should select the value and not execute the html code!
Actual behavior
By selecting the value, the html will be exectuted and you will get the alert('xss') shown on the page
Resources (screenshots, code snippets etc.)
<select class="select" data-mdb-filter="true">
<option value="1"><img src=# onerror=alert('xss')></option>
<option value="2">Two</option>
<option value="3">Three</option>
<option value="4">Four</option>
<option value="5">Five</option>
<option value="6">Six</option>
<option value="7">Seven</option>
<option value="8">Eight</option>
<option value="9">Nine</option>
<option value="10">Ten</option>
</select>
How long do you think it will take to fix this issue and in which version will it be fixed?
Thank you in advance for your quick answer.
Kamila Pieńkowska staff commented 1 year ago
We do not provide dates or content for future releases beforehand.
development.apployed@bcs.nl priority commented 1 year ago
Hi,
I see that there is a new release 6.4.1 but I don't see the fix for the crossed-site issue.
Did you maybe forget to mention it and is it maybe fixed in this version?
kind regards
Grzegorz Bujański staff commented 1 year ago
Unfortunately, this release did not fix it. We will try to fix it as soon as possible
FREE CONSULTATION
Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.
Answered
- ForumUser: Priority
- Premium support: Yes
- Technology: MDB Standard
- MDB Version: MDB5 6.3.1
- Device: All
- Browser: All
- OS: All
- Provided sample code: No
- Provided link: No