Search and Top Navigation
#6017 closed bug (notabug)
Opened September 03, 2010 04:12PM UTC
Closed September 03, 2010 06:59PM UTC
Last modified October 11, 2012 09:15PM UTC
XSS Vulnerability - Autocomplete Labels
| Reported by: | shadowman131 | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | ui.autocomplete | Version: | 1.8.4 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Similar to http://dev.jqueryui.com/ticket/6016 .
Autocomplete's results include a 'label' field which is not properly escaped as text when inserted into the results list. This leads to XSS vulnerabilities for applications with a dynamic autocomplete. Example autocomplete return object:
[{"label":"<script type=\\"text/javascript\\">alert(\\"XSS!\\");</script>"}]
When received, the script is executed by the autocomplete's results list. This dangerous behavior should at least be noted somewhere in autocomplete's docs. A better option might be to escape the label as text by default, but also allow label to be specified as:
label: { html: '<img src="blah" />' }
To allow markup such as <img> tags to be used and allow the developer to proactively take responsibility.
Attachments (0)
Change History (6)
Changed September 03, 2010 05:06PM UTC by comment:1
| resolution: | → invalid |
|---|---|
| status: | new → closed |
Changed September 03, 2010 06:37PM UTC by comment:2
| resolution: | invalid |
|---|---|
| status: | closed → reopened |
Um? I just looked at the source in jquery.ui.autocomplete line 288:
285 _renderItem: function( ul, item) {
286 return $( "<li></li>" )
287 .data( "item.autocomplete", item )
288 .append( "<a>" + item.label + "</a>" )
289 .appendTo( ul );
290 },
Clearly, it is not escaped. Yes, I also backtracked all the way back to the $.getJSON() request.
It could be fixed easily under _normalize...
Changed September 03, 2010 06:59PM UTC by comment:3
| resolution: | → invalid |
|---|---|
| status: | reopened → closed |
As I said earlier, you're looking at an old version of the plugin.
http://github.com/jquery/jquery-ui/blob/master/ui/jquery.ui.autocomplete.js#L338
Changed September 03, 2010 07:04PM UTC by comment:4
Ah, ok. Why is trac's Browse Source so far out of sync?
Changed September 03, 2010 07:29PM UTC by comment:5
Because it points at SVN which we don't use anymore. I'm not sure how to turn that off.
Changed October 11, 2012 09:15PM UTC by comment:6
| milestone: | TBD |
|---|
Milestone TBD deleted
Autocomplete does encode the labels. Perhaps you're using an old version.