Watch

Welcome to the React feedback portal. We’re happy you’re here! If you have feedback on how to improve the React, we’d love to hear it!

Check out the features or bugs others have reported and vote on your favorites. Feedback will be prioritized based on popularity.
If you have feedback that’s not listed yet, submit your own.

Thanks for joining our community and helping improve Syncfusion products!

Vote

Event editor is XSS vulnerable even with enableHtmlSanitizer set to true Completed

: Apr 07, 2024 5:46 AM

: May 13, 2024 10:19 AM

: Bug Report

: Schedule

: 25.1.39

: Vol 1 2024 - SP (May 08, 2024)

: Apr 07, 2024 5:46 AM

: Bug Report

: Schedule

Hi,

I have found an XSS vulnerability in the event editor for the scheduler component. It is reproducible by configuring the resource `textField` to have an XSS payload such as

(I also noticed this feedback form is XSS vulnerable when I pasted this attack vector!!)

I then double click a cell to launch the event editor, however the malicious code is executed and I get an alert.

With enableHtmlSanitizer set to true, I would expect this string to be sanitised.

Thanks,

Josh.

2 COMMENTS