Bootstrap-select: 1.13.6: HTML in subtext gets escaped
Thanks for this great component!
Before 1.13.6 it was possible to use HTML in the subtext, like:
<select>
<option data-subtext="<br>lorem ipsum">option 1</option>
</select>
With 1.13.6 this change/fix was introduced:
- #2199: Fixed an XSS vulnerability with data-content, data-subtext, and title options. Implemented a new HTML sanitizer for data-content.
Does this mean using HTML is only supported in data-content ? If so, it's a breaking change and IMHO the minor version should (have been) updated, no?
Or is it just a regression?
Thanks!
ybc37
All 4 comments
While normally I'd agree this should have been included in a version bump, the ability to insert HTML via data-subtext was an undocumented and unintended feature (as well as a potential vector for an XSS attack). Because it is a security risk, I wanted to ensure this was available to any projects that set the target bootstrap-select version at ~1.13.0 (patch versions only). For the time being, data-content is the only way to insert HTML. Perhaps in the next version I could add another option for data-content - placement - which would determine whether the content was placed before, after, or replaced option text (replaced would be default).
I'll leave this issue open for now for visibility.
caseyjhol
on 11 Mar 2019
Ok, I see. Thanks for the quick reply and explanation.
For my use case the current data-content implementation is fine, but it might be useful for others to set the placement (e.g. #711).
ybc37
on 11 Mar 2019
Why not follow boostrap (and reuse their sanitizer) see: https://getbootstrap.com/docs/3.4/javascript/#popovers-options
Jogai
on 12 Mar 2019
The bootstrap-select sanitizer is based on Bootstrap's, except modified to be much faster. Using their sanitizer would require converting DOM nodes into an HTML string first, just to be converted back into DOM nodes, and then converted back into an HTML string again. When iterating over hundreds or thousands of options, that becomes very slow. Bootstrap-select's sanitizer simply accepts DOM nodes as an argument, cutting out most of the overhead.
caseyjhol
on 12 Mar 2019
Related issues
dacavcosta
路
3Comments
Godrules500
路
4Comments
james-yun
路
3Comments
dw00001
路
3Comments
spyhunter88
路
4Comments
Most helpful comment
The bootstrap-select sanitizer is based on Bootstrap's, except modified to be much faster. Using their sanitizer would require converting DOM nodes into an HTML string first, just to be converted back into DOM nodes, and then converted back into an HTML string again. When iterating over hundreds or thousands of options, that becomes very slow. Bootstrap-select's sanitizer simply accepts DOM nodes as an argument, cutting out most of the overhead.