Headline
CVE-2022-1330: Merge pull request #4360 from ranjit-git/ranjit-git-patch-1 · alvarotrigo/fullPage.js@e7a5db4
stored xss due to unsantized anchor url in GitHub repository alvarotrigo/fullpage.js prior to 4.0.4. stored xss .
@@ -57,12 +57,12 @@ export function addSlidesNavigation(section){
for(var i=0; i< numSlides; i++){
var slide = utils.$(SLIDE_SEL, sectionElem)[i];
utils.appendTo(utils.createElementFromHTML('<li><a href="#"><span class="fp-sr-only">’+ getBulletLinkName(i, ‘Slide’, slide) +’</span><span></span></a></li>’), utils.$('ul’, nav)[0] );
utils.appendTo(utils.createElementFromHTML('<li><a href="#"><span class="fp-sr-only">’+ encodeURI(getBulletLinkName(i, ‘Slide’, slide)) +’</span><span></span></a></li>’), utils.$('ul’, nav)[0] );
}
//centering it
utils.css(nav, {’margin-left’: '-' + (nav.innerWidth/2) + 'px’});
var activeSlideIndex = section.activeSlide ? section.activeSlide.index() : 0;
utils.addClass(utils.$('a’, utils.$('li’, nav)[activeSlideIndex] ), ACTIVE);
}
}