Raised by Leonid Brujev (leonid.brujev@environment-agency.gov.uk)
Small heads up on the interactive-map search plugin. Not urgent, but there’s a potential XSS issue.
https://github.com/DEFRA/interactive-map/blob/main/docs/plugins/search.md#custom-datasets
The search plugin renders the suggestion marked field using dangerouslySetInnerHTML, and the docs describe marked as an HTML string built by the consumer’s parseResults.
The documented example uses ${query} without escaping, and there’s no security note. This means anyone following the example ends up with a stored-XSS sink whenever result text (or the query) contains HTML.
Low severity for us (OS API data is hard to inject into), but worth checking.
Raised by Leonid Brujev (leonid.brujev@environment-agency.gov.uk)
Small heads up on the interactive-map search plugin. Not urgent, but there’s a potential XSS issue.
https://github.com/DEFRA/interactive-map/blob/main/docs/plugins/search.md#custom-datasets
The search plugin renders the suggestion marked field using dangerouslySetInnerHTML, and the docs describe marked as an HTML string built by the consumer’s parseResults.
The documented example uses ${query} without escaping, and there’s no security note. This means anyone following the example ends up with a stored-XSS sink whenever result text (or the query) contains HTML.
Low severity for us (OS API data is hard to inject into), but worth checking.