Self XSS

[Nahiiko]

Self XSS is possible by typing something like "onclick="alert(1);"

I think it's because data-text doesn't contain sanitized characters.
Don't think it's critical but there you go regardless :)

[jcubic]

Can you create a PoC for this? Without reproduction it's like saying "your library is broken" without saying anything else.

Please show example, how this lead to XSS, if it's true is more problematic than you think.
I've already found some XSS long ago and reported it to NPM, because the developer (User) of the library could unintentionally create reflected XSS if he was not careful. That's why I've disabled some options by default.

[jcubic]

Ok, I was able to reproduce, I was testing in Terminal JavaScript demo that is not affected.

Thanks for the report.

[jcubic]

I think that I've forget in one place to escape " with " it's happen only when formatting is enabled (the XSS is not present if so). But outside of formatting the code is not escaped. Probably the code for data-text attribute was added later so data-text attribute is always present, but escaping was not added to this new code.

And just FYI: to prevent the XSS you can use this code:

$.terminal.new_formatter([/([\s\S]+)/g, '[[;;]$1]']);

that wraps whole text into empty formatting, it's no op but it will trigger the code that do escape the " with ".