Validate url to prevent XSS attacks about dash HOT 4 CLOSED

Hi @alexcjohnson - I just tried it and it's a vulnerability in both libraries. I'll open an issue in each and link it here for more info.

from dash.

@AnnMarieW quite possibly - it depends whether the underlying bootstrap & mantine components do anything to sanitize their inputs. Would you be up for trying them? I'm sure they would be grateful for help demonstrating that this either is or is not an issue. Reproducing in Dash is simple, put dcc.Link('dcc-link', href='javascript:alert(1)') in your layout - if you see an alert when you click the link it's vulnerable. Should be very similar for these other libraries.

from dash.

Thank you @gtsp233 - we're aware of a matching vulnerability in the A component in dash-html-components and we're currently investigating whether any other components are susceptible. href validation is indeed the approach we intend to take.

I'll note that this would only be exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user. Very few public Dash apps do this, but private apps sometimes do.

from dash.

Could other community libraries have the same vulnerability such as the NavLink in Dash Bootstrap Components, and NavLink in Dash Mantine Components?

from dash.