We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I've identified Cross-Site Scripting (XSS) vulnerabilities in '@hashicorp/hero'
Vulnerability Details:
Steps to Reproduce: In a React.js project:
import Hero from "@hashicorp/react-hero" import React from "react"; import Hero from "@hashicorp/react-hero" const App = () => { return <> <Hero description={`<img src='' onerror=alert(1)>`} headline={`<img src='' onerror=alert(1)>`} /> </> }; export default App
Then the malicious code alert(1) will be executed. Any React.js application using this package may be vulnerable to XSS.
Suggested Fix or Mitigation: Sanitize the HTML before passing it to dangerouslySetInnerHTML using popular sanitization libraries, e.g., dompurify
dompurify
react-components/packages/section-header/index.js
Lines 10 to 43 in 18198c8
The text was updated successfully, but these errors were encountered:
No branches or pull requests
I've identified Cross-Site Scripting (XSS) vulnerabilities in '@hashicorp/hero'
Vulnerability Details:
Steps to Reproduce:
In a React.js project:
Then the malicious code alert(1) will be executed. Any React.js application using this package may be vulnerable to XSS.
Suggested Fix or Mitigation:
Sanitize the HTML before passing it to dangerouslySetInnerHTML using popular sanitization libraries, e.g.,
dompurify
react-components/packages/section-header/index.js
Lines 10 to 43 in 18198c8
The text was updated successfully, but these errors were encountered: