You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Then any user clicking the mention item will trigger the XSS attack
Suggested Fix or Mitigation:
It is best practice for a React.js components package to sanitize the href attribute before passing it to an tag. React.js and many popular libraries such as react-router-dom and Next.js also ensure the safety of href attributes. For instance, React.js issues warnings about URLs starting with javascript: and is planning to block these in future versions, as indicated in this pull request.
Please consider validate the mention url to prevent any XSS attacks, thanks!
The text was updated successfully, but these errors were encountered:
I've found a Cross-Site Scripting (XSS) vulnerability in this @draft-js-plugins/mention
Vulnerability Details:
Steps to Reproduce:
In a React.js project:
Then any user clicking the mention item will trigger the XSS attack
Suggested Fix or Mitigation:
It is best practice for a React.js components package to sanitize the href attribute before passing it to an tag. React.js and many popular libraries such as react-router-dom and Next.js also ensure the safety of href attributes. For instance, React.js issues warnings about URLs starting with javascript: and is planning to block these in future versions, as indicated in this pull request.
Please consider validate the mention url to prevent any XSS attacks, thanks!
The text was updated successfully, but these errors were encountered: