Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Fixed XSS #2#3

Open
Aravindha1234u wants to merge 14 commits into
418sec:masterfrom
Aravindha1234u:master
Open

Fixed XSS #2#3
Aravindha1234u wants to merge 14 commits into
418sec:masterfrom
Aravindha1234u:master

Conversation

@Aravindha1234u
Copy link
Copy Markdown

@Aravindha1234u Aravindha1234u commented May 3, 2021

Fixed XSS #2

Issues: Cross-Site Scripting allows people to inject malicious javascript code to steal user data.

Please check if the PR fulfills these requirements

  • It's submitted to right branch according to our branching model
  • It's right issue type on title
  • When resolving a specific issue, it's referenced in the PR's title (e.g. fix #xxx[,#xxx], where "xxx" is the issue number)
  • The commit message follows our guidelines
  • Tests for the changes have been added (for bug fixes/features)
  • Docs have been added/updated (for bug fixes/features)
  • It does not introduce a breaking change or has description for the breaking change

Description

Bountry URL: https://www.huntr.dev/bounties/2-npm-tui-grid/
Issue: XSS
Fixed

Payload: ss'<img src=x onerror=alert(1)>
paste payload on any custom editor field and click outside to view javascript execution

image

Thank you for your contribution to TOAST UI product. 🎉 😘 ✨

joebordes and others added 14 commits April 15, 2021 10:22
@joebordes
docs: add coreBOS to used by (nhn#1303)
43a41b1 
* docs: add coreBOS to used by

* docs: change URL of coreBOS to home site
@js87zz
fix: copy the data without encoding (nhn#1310)
18c4aef 
* fix: copy the data without encoding

* chore: innerHTML => textContent

* chore: apply code review
@js87zz
fix: cannot show the dummy cells at the farthest right in scrollX (nh…
2a8fffc 
…n#1312)

* fix: duplcated component key

* fix: wrong offsetTop, offsetLeft style

* chore: add dummy story(show the cell with scroll)

* chore: add integration test for dummy rows and remove story

* chore: fix broken test case
@dependabot
chore(deps): bump y18n from 3.2.1 to 3.2.2 (nhn#1293)
8abdd5e 
Bumps [y18n](https://github.com/yargs/y18n) from 3.2.1 to 3.2.2.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@js87zz
fix: selectbox, checkbox editor height (nhn#1322)
01f7acc 
* fix: add select box max-height

* fix: set max-height to checkbox editor
@js87zz
fix: emit script errors when data is not in the select box list (nhn#…
08df83a 
…1326)
@js87zz
fix: add i18n for filter select option (nhn#1325)
b37b583 
* fix: add i18n for filter select option

* chore: add filter button i18n

* chore: remove unnecessary blank line
@ryum91 @js87zz
fix: Remove empty values from select filter (nhn#1245) (nhn#1267)
646211c 
* fix: Remove empty values from select filter

* fix: Nil value handling when selectAll is selected

* chore: add test case(filter empty value in select filter)

Co-authored-by: js87zz <js87zz.lee@nhn.com>
@js87zz
fix: the partial of the filter layer is hidden when window.innerWidth…
8647ee5 
… is smaller than the filter layer left position (nhn#1327)
@js87zz
feat: drag and drop to move row (nhn#1314)
41f975b 
* feat: add draggableRow

* chore: wrong comment for grid instance

* feat: add floating row css for draggable

* feat: add draggable functionality

* chore: add test case(D&D move row)

* chore: apply code review

* feat: tree drag and drop (nhn#1324)

* feat: add tree drag operation

* refactor: tree floating cell

* refactor: add tree parent-cell class name

* feat: add drag event

* feat: move tree row

* fix: add '_isLeaf' prop for checking leaf node properly

* feat: change moveRow API for moving the tree row

* chore: add test case(move tree row)

* chore: add drag event test case

* docs: add event description

* chore: fix broken test case

* chore: fix floating row css

* feat: add custom draggable renderer

* chore: apply review

* chore: apply code review

* chore: apply code review

* feat: add appended property in drop event

* fix: wrong property(isLeaf => leaf)

* chore: fix the move to last row

* chore: add z-index to floating-line css

* feat: move floating row as X position
@js87zz
fix: emit script error when copying unobservable rows (nhn#1329)
1759386 
* fix: emit script error when copying unobservable rows

* chore: apply code review
@js87zz
chore: update version to v4.17.0
f63b7ee
@js87zz
chore: update version of wrappers to v4.17.0
32ac3f4
@Aravindha1234u
Fixed XSS
90db177
@huntr-helper
Copy link
Copy Markdown

huntr-helper commented May 3, 2021

👋 Hello, @js87zz. @Aravindha1234u has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

☎️ Need further support?

Come and join us on our community Discord!

@js87zz - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Aravindha1234u @huntr-helper @joebordes @js87zz @ryum91