Node.js third-party modules: XSS in Bootbox

ID H1:508446
Type hackerone
Reporter yonjah
Modified 2019-05-04T16:52:39



Sorry for taking the time with this report.

This is already publicly disclosed issue at -

In essence all dialogs of bootbox vulnurable to XSS injections ( bootbox.alert("\<script\>alert(1);\</script\>"); )

This is apparently a feature to allow injecting HTML in messages but it is not very clear from the documentation.
Even though this issue has been reported for a while no changes were made to fix this issue or even update the documentation

Kind Regards,


Websites using bootbox to display messages containing user input are vulnerable to XSS