Описание
Cross-Site Scripting in i18next
Affected versions of i18next allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.
Proof of Concept
var init = i18n.init({debug: true}, function(){
var test = i18n.t('__firstName__ __lastName__', {
escapeInterpolation: true,
firstName: '__lastNameHTML__',
lastName: '<script>',
});
console.log(test);
});
// equals "<script> <script>"
Recommendation
Update to version 1.10.3 or later.
Пакеты
Наименование
i18next
npm
Затронутые версииВерсия исправления
<= 1.10.2
1.10.3
Связанные уязвимости
CVSS3: 6.1
nvd
больше 7 лет назад
i18next is a language translation framework. Because of how the interpolation is implemented, making replacements from the dictionary one at a time, untrusted user input can use the name of one of the dictionary keys to inject script into the browser. This affects i18next <=1.10.2.