Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Xss issue #18

Closed
dineshrb opened this issue Feb 21, 2013 · 4 comments
Closed

Xss issue #18

dineshrb opened this issue Feb 21, 2013 · 4 comments

Comments

@dineshrb
Copy link

Script gets executed when given as an option
$('#sampleauto').typeahead({
name: 'accounts',
local: ['github', 'select2', 'typeahead', '<script>alert("github")</script>']
});
@jharding
Copy link
Contributor

Doesn't seem like the onus to prevent this scenario should belong to typeahead.js. If you plan on using typeahead.js with untrusted data, you'll need to escape it beforehand.

@dineshrb
Copy link
Author

A hook for escaping the data should be provided atleast.

@jharding
Copy link
Contributor

v0.9 will have support filters for remote and prefetched data. You'll be able to use that as your hook.

@jharding
Copy link
Contributor

Closing as #25 will resolve it.

@wilg wilg mentioned this issue Aug 21, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jharding @dineshrb