XSS Responsibility? #326
Description
What steps will reproduce the problem?
- Insert an XSS into
SEOTools::setTitle();orSEOTools::setDescription(); - View Site
<script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","name":"<script>alert(0)</script> on Bazaar","description":"<script>alert(0)</script> on Bazaar in Custom at Aug 1, 2024 with: xxx","image":"https://blobs-infiniteugc.svc.halowaypoint.com/ugcstorage/map/298d5036-cd43-47b3-a4bd-31e127566593/5546a6ec-841d-4955-be7a-5f32c3ac0428/images/thumbnail.png"}</script>
What is the expected result?
- Nothing happens, but encoded text.
What do you get instead?
- An XSS
Additional info
| Q | A |
|---|---|
| This Package Version | 1.3.1 |
| Laravel Framework Version | 11.x |
Should the package be cleansing data prior to writing to tags? Or is it up to me to cleanse data prior to injecting into library?