Headline
CVE-2023-3691: checkbox等title渲染时有xss · Issue #I7HDXZ · Layui/layui - Gitee.com
A vulnerability, which was classified as problematic, was found in layui up to v2.8.0-rc.16. This affects an unknown part of the component HTML Attribute Handler. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.8.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-234237 was assigned to this vulnerability.
版本号
2.*
浏览器
114.0.5735.199
问题类型
疑是 BUG
问题描述
checkbox被render后,title中如果有html或"这类的字符,未转义,应使用util.escape转义下。
场景:很多项都是由客户自定义添加的
业务代码
<input type="checkbox" title="转义" />
截图补充****演示地址****友好承诺
- 我承诺将本着相互尊重、理解和友善的态度进行交流,共同维护 Layui 良好的社区氛围。
评论 (1)
nextsimple 创建了任务
贤心 拥有者
_
复制链接地址
_
用的 Layui 版本太低,该问题很早就优化了,升级下版本即可:https://layui.dev
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
取消
提交
贤心 将任务状态从 待办的 修改为已取消
登录 后才可以发表评论
Related news
A vulnerability, which was classified as problematic, was found in layui up to v2.8.0-rc.16. This affects an unknown part of the component HTML Attribute Handler. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.8.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-234237 was assigned to this vulnerability.