Skip to content

bugfix: the label has xss bug#17

Open
lyon-liao wants to merge 1 commit intoitslenny:masterfrom
lyon-liao:xss-bug
Open

bugfix: the label has xss bug#17
lyon-liao wants to merge 1 commit intoitslenny:masterfrom
lyon-liao:xss-bug

Conversation

@lyon-liao
Copy link

@lyon-liao lyon-liao commented Oct 17, 2016

the soruce code as :

 if(attrs.label!=='false'){        
            //set label text to label if available otherwise default to value
            var labelText = scope.$eval(attrs.label ? attrs.label : attrs.value);
            var label = angular.element('<label>'+labelText+'</label>');

            //add label before or after depending on label-left value 
            if(attrs.labelLeft){
              element.prepend(label);
            }else{
              element.append(label);
            }
        }

when label is <script>alert(1)</script>, the alert will oppen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lyon-liao