Semantic-ui: [Dropdown] Security Vulnerability with data-text
When adding the data-text option to dropdown item's, when the user clicks on them the contents are executed. Here is a simple JSFiddle with two dropdowns: http://jsfiddle.net/daneren2005/7x4jqbe7/2/. The top one uses data-text and you will get a popup XSS when you select the only option. The second does not use it and isn't vulnerable.
daneren2005
All 10 comments
There has been no activity in this thread for 90 days. While we care about every issue and we鈥檇 love to see this fixed, the core team鈥檚 time is limited so we have to focus our attention on the issues that are most pressing. Therefore, we will likely not be able to get to this one.
However, PRs for this issue will of course be accepted and welcome!
If there is no more activity in the next 90 days, this issue will be closed automatically for housekeeping. To prevent this, simply leave a reply here. Thanks!
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 5 Jun 2018
This is still an open security vulnerability
daneren2005
on 5 Jun 2018
Although there is currently no volunteer to work on any of this, but it would be nice to have a whole section dedicated to security on the Semantic-UI web site, and for each module, a sub-section on the secure use of that particular module.
dreaming-augustin
on 7 Sep 2018
[Security] Documentation on the secure usage of Semantic-UI #6570
dreaming-augustin
on 7 Sep 2018
Honestly I would probably hit it myself if it wasn't for all of the open PRs and it seeming to be a waste of time to try to add to this project.
daneren2005
on 7 Sep 2018
I know what you mean.
Meanwhile, if you have the time and feel so inclined, you can always try submitting a PR to Fomantic-UI, https://github.com/fomantic/Fomantic-UI which is an active fork of this project...
dreaming-augustin
on 7 Sep 2018
I will have to take a look at it. I am still using 2.2 so I would need a decent chunk of time to upgrade to a fork like that to validate all of the changes don't break the crap ton of custom css I use on top of Semantic. Thanks for the link though.
daneren2005
on 8 Sep 2018
This is not a security issue, removing html parsing is already a setting.
$('.ui.dropdown.selection').dropdown({preserveHTML: false});
No alert in this jsfiddle fork
http://jsfiddle.net/15pw0Lku/
It's up to implementors to decide if they want to prevent this behavior. This can also be solved with CSP.
jlukic
on 7 Oct 2018
We implemented data sanitizing and added a security page to the docs
https://fomantic-ui.com/modules/dropdown.html#/security
lubber-de
on 5 Jan 2019
For the record, I repeat what I already said elsewhere:
https://github.com/Semantic-Org/Semantic-UI/issues/6570#issuecomment-451653492
@lubber-de What you did is great! Thank you very much for taking the time to implement this. I am very happy that Fomantic is making such progress and taking security issues seriously. Many thanks to the whole team.
dreaming-augustin
on 12 Jan 2019
Related issues
rdzidziguri
路
3Comments
zhaoyao91
路
3Comments
sarbona
路
3Comments
arj-196
路
3Comments
davialexandre
路
3Comments
Most helpful comment
We implemented data sanitizing and added a security page to the docs
https://fomantic-ui.com/modules/dropdown.html#/security