Good morning,
We have noticed a Cross Site Scripting (XSS) issue in the "Web Client" using Servoy 2021.3.2.3644_LTS.
The "Security Setting" servoy.clientTrustDataAsHtml is in our instances is always set to: false. We want the XSS protection and generally it works great.
Most of the form components that support valuelists handle malicious scripts correctly according to the security setting above except the "textbox" and "typeahead" components. When focus is gained with these components and prior to the valuelist showing, the payload in the script executes.
To reproduce this issue create a valuelist with an entry with a script within it E.g. "xsstest<img/src=x onerror=alert(document.domain)>" . Then attach that valuelist to a textbox or typeahead component. Launch the "Web Client" and then click in the component.
For an example please see the attached pngs.
Would it be possible to get this fixed please as it is has been identified as a security issue during a recent penetration test?
Thanks,
Mark