Skip to content

Potential XSS issue with search #389

Description

@dannyleech

Raised by Leonid Brujev (leonid.brujev@environment-agency.gov.uk)

Small heads up on the interactive-map search plugin. Not urgent, but there’s a potential XSS issue.
https://github.com/DEFRA/interactive-map/blob/main/docs/plugins/search.md#custom-datasets

The search plugin renders the suggestion marked field using dangerouslySetInnerHTML, and the docs describe marked as an HTML string built by the consumer’s parseResults.
The documented example uses ${query} without escaping, and there’s no security note. This means anyone following the example ends up with a stored-XSS sink whenever result text (or the query) contains HTML.

Low severity for us (OS API data is hard to inject into), but worth checking.

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-tidying-before-doneFunctionally done but needs tidying (e.g. unit tests, documentation)pluginOptional functionality introduced by a pluginplugin:search

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions