Headline
CVE-2023-3620: Filter the attr to avoid possible XSS vulnerability Fix #1132 · AmauriC/tarteaucitron.js@c4c2fcf
Cross-site Scripting (XSS) - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1.
Expand Up
@@ -2083,7 +2083,13 @@ var tarteaucitron = {
return elem.getAttribute(‘height’) || elem.clientHeight;
},
"getElemAttr": function (elem, attr) {
return elem.getAttribute('data-' + attr) || elem.getAttribute(attr);
var attribute = elem.getAttribute('data-' + attr) || elem.getAttribute(attr);
if (typeof attribute === ‘string’) {
return tarteaucitron.fixSelfXSS(attribute);
}
return "";
},
"addClickEventToId": function (elemId, func) {
tarteaucitron.addClickEventToElement(document.getElementById(elemId), func);
Expand Down
Related news
GHSA-f44m-65h3-99vc: tarteaucitron.js vulnerable to Cross-site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1.