Описание
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs
Impact
The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability.
Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities.
Patches
The vulnerability has been patched in version 3.1.2. If you need to display HTML in the toast, explicitly pass the options.isHTML config flag.
Workarounds
Make sure no user-supplied input flows into toasts.
Пакеты
@nextcloud/dialogs
< 3.1.2
3.1.2
Связанные уязвимости
The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version 3.1.2 If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag.