Comments (4)
Hi @alexcjohnson - I just tried it and it's a vulnerability in both libraries. I'll open an issue in each and link it here for more info.
from dash.
@AnnMarieW quite possibly - it depends whether the underlying bootstrap & mantine components do anything to sanitize their inputs. Would you be up for trying them? I'm sure they would be grateful for help demonstrating that this either is or is not an issue. Reproducing in Dash is simple, put dcc.Link('dcc-link', href='javascript:alert(1)')
in your layout - if you see an alert when you click the link it's vulnerable. Should be very similar for these other libraries.
from dash.
Thank you @gtsp233 - we're aware of a matching vulnerability in the A
component in dash-html-components
and we're currently investigating whether any other components are susceptible. href
validation is indeed the approach we intend to take.
I'll note that this would only be exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user. Very few public Dash apps do this, but private apps sometimes do.
from dash.
Could other community libraries have the same vulnerability such as the NavLink
in Dash Bootstrap Components, and NavLink in Dash Mantine Components?
from dash.
Related Issues (20)
- [Feature Request] Get current active / clicked shape from plotly figure HOT 4
- [MAINTENANCE] Improve react-docgen usage
- [BUG] dcc.Dropdown value does not update when an option is removed (regression from #1868) HOT 1
- [Feature Request] Python 3.12 support HOT 1
- [Feature Request] Send categorical color data on click/hover/select HOT 4
- [Feature Request] Virtual WebGL support HOT 2
- [BUG] `dcc.Graph` inserts phantom rectangular shape on callback update seemingly randomly HOT 5
- [Feature Request] `dash.callback` should utilize `functools.wraps` HOT 4
- Dangerous link detected Error in Dash Debug Window after upgrading from 2.14.2 to 2.15.0 HOT 17
- [BUG] Duplicate callback outputs HOT 4
- [Feature Request] Allow background callbacks to run in the same process as the main app
- [Feature Request] Ability to prevent newer background callbacks from cancelling older ones if desired HOT 3
- [BUG] Dropdown options not rendering on the UI even though it is generated HOT 2
- [Feature Request] More documentaion for new dash-auth 2.2.0 package
- [BUG] dcc.Tooltip children isn't clickable even with targetable=True HOT 3
- [BUG] extending a trace in callback using extendData property doesn't work for a figure with multi-level axis HOT 1
- [BUG] Callback will not render new data until a delay is introduced HOT 7
- Dangerous link detected error after upgrading to Dash 2.15.0 HOT 11
- When moving the cursor, it will sometimes get stuck HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dash.