Hi,
I found some XSS vulnerabilities in the text_object() function (Line 802, https://github.com/PamornT/flex2html/blob/main/js/flex2html.js#L802) on the <p>${text}<!-- content --></p>. Currently, it injects the text property directly into the HTML without escaping.
This is critical if a developer uses this library to render user-generated input (e.g., displaying a LINE text message from a user), as it allows arbitrary code execution.
For example, this JSON payload executes JavaScript:
{
"type": "text",
"text": "<img src=x onerror=alert('XSS')>"
}Other impacted areas: I also observed similar unescaped injections in other components (such as button_object, hero_box_video, and image_object).
Is this intended behavior (to allow raw HTML), or should the library default to escaping special characters across these components?
Thanks!
Hi,
I found some XSS vulnerabilities in the
text_object()function (Line 802, https://github.com/PamornT/flex2html/blob/main/js/flex2html.js#L802) on the<p>${text}<!-- content --></p>. Currently, it injects thetextproperty directly into the HTML without escaping.This is critical if a developer uses this library to render user-generated input (e.g., displaying a LINE text message from a user), as it allows arbitrary code execution.
For example, this JSON payload executes JavaScript:
{ "type": "text", "text": "<img src=x onerror=alert('XSS')>" }Other impacted areas: I also observed similar unescaped injections in other components (such as button_object, hero_box_video, and image_object).
Is this intended behavior (to allow raw HTML), or should the library default to escaping special characters across these components?
Thanks!