Cross-Site Scripting (XSS) vulnerability in "endpoint" input field

[ktk]

There was a bug bounty event where a company had a look at YASAGUI, they discovered a potential Cross-Site Scripting (XSS) vulnerability in the "endpoint input field. When one submits the following input string to the "endpoint" field:

https://myendpoint.com/query<img/src='x'/onerror='alert(8)'>

YASGUI does not properly sanitize the input and renders the untrusted data as HTML code, which results in the execution of the JavaScript code contained in the onerror attribute.

Steps to Reproduce:

• Navigate to the "endpoint" input field of the web application.
• Enter the following input string:

https://myendpoint.com/query<img/src='x'/onerror='alert(8)'>

Submit the input.

[BenjaminHofstetter]

opened an issue here TarekRaafat/autoComplete.js#406

[BenjaminHofstetter]

It's mentioned in the autoComplete doc.
TarekRaafat/autoComplete.js#406 (comment)