Topic: Select component XSS Cross Site Scripting issue priority asked 10 months ago

Expected behavior

If an option value in the select is written as Html encode such as: <img src=# onerror=alert('xss')> By selecting the value, it should select the value and not execute the html code!

Actual behavior

By selecting the value, the html will be exectuted and you will get the alert('xss') shown on the page

Resources (screenshots, code snippets etc.)

<select class="select" data-mdb-filter="true"> <option value="1">&lt;img src=# onerror=alert('xss')&gt;</option> <option value="2">Two</option> <option value="3">Three</option> <option value="4">Four</option> <option value="5">Five</option> <option value="6">Six</option> <option value="7">Seven</option> <option value="8">Eight</option> <option value="9">Nine</option> <option value="10">Ten</option> </select> priority answered 10 months ago

How long do you think it will take to fix this issue and in which version will it be fixed?

Thank you in advance for your quick answer.

Kamila Pieńkowska staff commented 10 months ago

We do not provide dates or content for future releases beforehand. priority commented 9 months ago


I see that there is a new release 6.4.1 but I don't see the fix for the crossed-site issue.

Did you maybe forget to mention it and is it maybe fixed in this version?

kind regards

Grzegorz Bujański staff commented 9 months ago

Unfortunately, this release did not fix it. We will try to fix it as soon as possible

Mateusz Lazaru staff answered 10 months ago

Thanks for the report, we will fix it soon.

Please insert min. 20 characters.


Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.



Specification of the issue

  • ForumUser: Priority
  • Premium support: Yes
  • Technology: MDB Standard
  • MDB Version: MDB5 6.3.1
  • Device: All
  • Browser: All
  • OS: All
  • Provided sample code: No
  • Provided link: No