Open the Tags tab once the demo app is rendered and hover on the first input.On line #23, we use the customUserInput variable to customize tags.This variable mocks data that came from an API or an input. Notice line #17, where a customUserInput variable is declared.Open the following forked Tagify’s React Wrapper demo.Vendor published a fixed product version (v4.9.8).Vendor informed us that it would be fixed with the following product version (v4.9.8).Pull Request with the fix was sent to the vendor.It is undocumented, unintended, and unexpected behavior. There is no way to add the handlers using any other props described in the TagifyWrapper.propTypes object, except placeholder. Tagify’s API does not provide any documented options to add onhover, onclick, etc., handlers using the placeholder prop. While testing custom inputs functionality on a website, we observed that the “tags” parameter was not sanitized against cross-site scripting attacks when loading the data via the user’s profile page.ĭeep dive into the code base showed that the bug is in Tagify’s template wrapper, leading to an XSS vulnerability, making applications that use tagify.js or react.tagify vulnerable as well. Tagify is a quite popular JavaScript library: there are 38 000 weekly downloads on npm and 24 packages depending on Technical Summary An attacker could exploit it by storing persistent scripts, which would lead to arbitrary code execution when visiting an affected page. Cross-site Scripting (XSS) issue was discovered in versions before 4.9.8 ( CVE-2022-25854).It transforms an input field or a textarea into a Tags component. Tagify is a tags input component for React, Vue, and Angular that can also be used as a standalone library in pure JavaScript. Meanwhile, all BSG team members are safe, and we stay operational. We found this one in February 2022, and a few others are under review. For instance, a vulnerability is worth a CVE. However, some events make us hit the dust off the keyboard and share some information. Due to the russian war on Ukraine, we are much less active on this blog and social media.
0 Comments
Leave a Reply. |