You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A runtime SyntaxError is thrown by querySelector() that causes the React component tree to crash when the value or fallback textContent contains special characters. We discovered this when pen testers created a resource with a value of <a href="javascript:alert(1)">Click Me!</a> that when hovered crashed our app.
Rendering of the CommandItem on the DOM works as expected, as JSX escapes characters. However, when the CommandItem is hovered, document.querySelector('[data-value="..."]') causes a runtime error. This is because the data-value attribute is being set to an unescaped string.
I addressed this within our implementation by sanitizing the value prop with CSS.escape(value), or with a regex fallback, if the CSS object isn't available, replacing special characters with an empty string.
I believe this escapement should be addressed by the library, if possible. Thank you.
A runtime
SyntaxErroris thrown byquerySelector()that causes the React component tree to crash when thevalueor fallbacktextContentcontains special characters. We discovered this when pen testers created a resource with avalueof<a href="javascript:alert(1)">Click Me!</a>that when hovered crashed our app.Rendering of the
CommandItemon the DOM works as expected, as JSX escapes characters. However, when theCommandItemis hovered,document.querySelector('[data-value="..."]')causes a runtime error. This is because thedata-valueattribute is being set to an unescaped string.I addressed this within our implementation by sanitizing the value prop with
CSS.escape(value), or with a regex fallback, if the CSS object isn't available, replacing special characters with an empty string.I believe this escapement should be addressed by the library, if possible. Thank you.
Screen.Recording.2025-10-16.at.10.07.48.AM.mov