Search and Top Navigation
#6016 closed bug (fixed)
Opened September 03, 2010 04:07PM UTC
Closed November 26, 2012 09:30AM UTC
Dialog: Title XSS Vulnerability
| Reported by: | shadowman131 | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 1.10.0 |
| Component: | ui.dialog | Version: | 1.8.4 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
jQuery.ui.dialog's title option is not properly escaped before being set in the dom, resulting in an XSS vulnerability for applications with dynamic titles. For instance, try:
$('<div>Hi</div>').dialog({title:'<script type="text/javascript">alert("XSS");</script>"});
If this is the desired behaviour, it should at least be noted somewhere. The best reason I could think of for this to be desired would be to use icons in <img> tags in the title. For this, maybe something like:
$.ui.dialog({
title: { html: '<img src="blah">' }
});
Would be more appropriate, as the developer indicates that they mean to use full HTML and are aware of the risks.
Attachments (0)
Change History (19)
Changed September 03, 2010 05:10PM UTC by comment:1
| resolution: | → invalid |
|---|---|
| status: | new → closed |
Changed September 03, 2010 06:26PM UTC by comment:2
I strongly disagree - as I said in the bug, at least make it apparent in the documentation. To me, a dialog title is a text attribute - I'm sure others would agree. It doesn't make sense to not escape it by default, and not even mention the lack of escaping.
Changed September 03, 2010 06:42PM UTC by comment:3
The documentation has been updated.
Changed May 02, 2011 07:16PM UTC by comment:4
| milestone: | TBD → 1.9 |
|---|---|
| resolution: | invalid |
| status: | closed → reopened |
Changed May 02, 2011 07:17PM UTC by comment:5
Changed May 06, 2011 11:56PM UTC by comment:6
I agree with shadowman13 (the OP) -- titles and labels ''should'' be html escaped by default. I feel most people assume that titles and label are purely textual attributes and as a result don't perceive them as possible XSS vulnerabilities.
For the the use case where someone wants to add an image to the title, we can require them to pass in a jquery object:
#!js
$("<div>Poppit</div>").dialog({ title: $("<img src='cheggit.png' />") });
Requiring a jquery object also improves error detection/reporting. Currently, if a user accidentally sets the title to a malformed piece of html (e.g. "<img src='cheggit.png'/"), jquery-ui will silently fail and leave the title blank. As opposed to passing in $("<img src='cheggit.png'/") which would immediately throw an exception.
IMO, this change would lead to less surprising code and better error handling.
Changed October 11, 2012 02:47PM UTC by comment:7
| milestone: | 1.9.0 → 1.10.0 |
|---|
Changed October 16, 2012 06:03PM UTC by comment:8
| owner: | → dalekocian |
|---|---|
| status: | reopened → assigned |
Changed November 17, 2012 03:19PM UTC by comment:9
If we escape the title by default, we need a way to allow the user to pass in HTML anyway. The suggestion here by Xavi is to accept a jQuery object. Do we have any examples of that elsewhere? Other ideas or opinions?
Changed November 17, 2012 03:26PM UTC by comment:10
Requiring a jQuery object everywhere a perceived XSS exists seems like a slippery slope to me. I'd rather just doc this, but I haven't really thought hard about this.
Changed November 17, 2012 03:31PM UTC by comment:11
My plan was to just switch to text instead of HTML, like we did for autocomplete.
Changed November 17, 2012 04:36PM UTC by comment:12
Oh, if the plan is to NOT allow HTML, sure. If the plan is jQuery Obj = HTML vs. string = text, I'm against that as a generic strategy.
Changed November 17, 2012 04:38PM UTC by comment:13
| owner: | dalekocian |
|---|---|
| status: | assigned → open |
Can we offer a simpler override then the one necessary for autocomplete? Even if its not becoming an option, this isn't exactly trivial: https://github.com/scottgonzalez/jquery-ui-extensions/blob/master/autocomplete/jquery.ui.autocomplete.html.js
The idea about accepting a jQuery object doesn't sound so bad.
Changed November 18, 2012 03:23AM UTC by comment:14
An extension for dialog would be simpler. Autocomplete is complicated because of data sources and plain text searching across nodes. Accepting a jQuery object for the title option seems extremely confusing to me. I understand the logic on a technical level, but from an API standpoint, it's unintuitive, confusing, and cumbersome.
Changed November 18, 2012 02:42PM UTC by comment:15
Here's a potential patch against the dialog branch, extracting setting of the title into a
_titlemethod, making it pretty easy to override. The only drawback is that in order to set the current implicit default, I still have to use html: https://gist.github.com/f945add6e6d32935d906
Is that acceptable?
Changed November 18, 2012 03:14PM UTC by comment:16
I commented on the gist. I like the approach, it just appeared to me that there's an error. Perhaps I just don't know that code well enough yet.
Changed November 18, 2012 10:49PM UTC by comment:17
The patch snippets were misleading, along with an incomplete refactoring. Also commented on the gist.
Changed November 26, 2012 09:13AM UTC by comment:18
| summary: | XSS Vulnerability - Dialog Title → Dialog: Title XSS Vulnerability |
|---|
Changed November 26, 2012 09:30AM UTC by comment:19
| resolution: | → fixed |
|---|---|
| status: | open → closed |
Dialog: Extract setting the title into a _title method, use .text() to prevent XSS. Fixes #6016 - Dialog: Title XSS Vulnerability.
Changeset: 7e9060c109b928769a664dbcc2c17bd21231b6f3
The fact that you can provide HTML doesn't create a vulnerability. This would be like saying that jQuery has an XSS vulnerability because it provides a .html() method.