Bootbox 5.5.2 Cross-Site Scripting

waugh

I don't know what Bootbox is for, but evidently NodeBB 1.18.4 depends on Bootbox 5.5.2, which has a cross-site scripting vulnerability according to npm audit.

baris

Bootbox is used to show modals and alerts. You can test it by running bootbox.alert('hello') in your browser console.

The vulnerability mentioned comes from bootbox allowing any html to be passed in. For example bootbox.alert('hello<script>alert("ok")</script>') This will execute the javascript in the text. So it has to be sanitized before passing it to bootbox. bootbox.alert(utils.escapeHTML('hello<script>alert("ok")</script>'))

For the full discussion you can check https://github.com/makeusabrew/bootbox/issues/661