Help us understand the issue by including:
- Type of vulnerability (XSS, injection, etc.)
- Affected version(s)
- Step-by-step instructions to reproduce
- Proof of concept (if applicable)
- Suggested fix (if you have one)
When using ol-contextmenu:
Always validate and sanitize user input before displaying in menu items:
// ❌ Unsafe - XSS vulnerability
{
text: userInput, // Could contain malicious HTML
callback: fn
}
// ✅ Safe - Sanitized
{
text: sanitizeHTML(userInput),
callback: fn
}Be cautious with callbacks that execute user-controlled code:
// ❌ Unsafe - eval is dangerous
{
text: 'Execute',
callback: (obj) => {
eval(obj.data.code); // Never do this!
}
}
// ✅ Safe - Validated actions
{
text: 'Execute',
callback: (obj) => {
if (allowedActions.includes(obj.data.action)) {
performAction(obj.data.action);
}
}
}Validate icon URLs to prevent XSS:
// ❌ Unsafe
{
text: 'Item',
icon: userProvidedURL // Could be javascript: or data: URL
}
// ✅ Safe
{
text: 'Item',
icon: isValidImageURL(userProvidedURL) ? userProvidedURL : defaultIcon
}Consider using CSP headers to mitigate XSS risks:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self'; img-src 'self' data: https:">ol-contextmenu renders user-provided text and icons in the DOM. Always sanitize:
- Menu item text
- Icon URLs
- Custom CSS classes
- Data passed to callbacks