Описание
Cross-Site Scripting in i18next
Affected versions of i18next may fail to sanitize user input when certain configuration options are used. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true.
Proof of Concept
When escapeValue is explicitly passed, the result of test is:
This is supposed to be the default. However, if escapeValue is not included, the result is the unescaped string:
Recommendation
Update to version 3.4.4 or later.
Пакеты
i18next
>= 2.0.0, < 3.4.4
3.4.4
Связанные уязвимости
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not. This vulnerability affects i18next 2.0.0 and later.
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not. This vulnerability affects i18next 2.0.0 and later.
i18next is a language translation framework. When using the .init meth ...