Skip to main content

Search and Top Navigation

#6017 closed bug (notabug)

Opened September 03, 2010 04:12PM UTC

Closed September 03, 2010 06:59PM UTC

Last modified October 11, 2012 09:15PM UTC

XSS Vulnerability - Autocomplete Labels

Reported by: shadowman131 Owned by:
Priority: major Milestone:
Component: ui.autocomplete Version: 1.8.4
Keywords: Cc:
Blocked by: Blocking:
Description

Similar to http://dev.jqueryui.com/ticket/6016 .

Autocomplete's results include a 'label' field which is not properly escaped as text when inserted into the results list. This leads to XSS vulnerabilities for applications with a dynamic autocomplete. Example autocomplete return object:

[{"label":"<script type=\\"text/javascript\\">alert(\\"XSS!\\");</script>"}]

When received, the script is executed by the autocomplete's results list. This dangerous behavior should at least be noted somewhere in autocomplete's docs. A better option might be to escape the label as text by default, but also allow label to be specified as:

label: { html: '<img src="blah" />' }

To allow markup such as <img> tags to be used and allow the developer to proactively take responsibility.

Attachments (0)
Change History (6)

Changed September 03, 2010 05:06PM UTC by scottgonzalez comment:1

resolution: → invalid
status: newclosed

Autocomplete does encode the labels. Perhaps you're using an old version.

Changed September 03, 2010 06:37PM UTC by shadowman131 comment:2

resolution: invalid
status: closedreopened

Um? I just looked at the source in jquery.ui.autocomplete line 288:

285 _renderItem: function( ul, item) {

286 return $( "<li></li>" )

287 .data( "item.autocomplete", item )

288 .append( "<a>" + item.label + "</a>" )

289 .appendTo( ul );

290 },

Clearly, it is not escaped. Yes, I also backtracked all the way back to the $.getJSON() request.

It could be fixed easily under _normalize...

Changed September 03, 2010 06:59PM UTC by scottgonzalez comment:3

resolution: → invalid
status: reopenedclosed

As I said earlier, you're looking at an old version of the plugin.

http://github.com/jquery/jquery-ui/blob/master/ui/jquery.ui.autocomplete.js#L338

Changed September 03, 2010 07:04PM UTC by shadowman131 comment:4

Ah, ok. Why is trac's Browse Source so far out of sync?

Changed September 03, 2010 07:29PM UTC by scottgonzalez comment:5

Because it points at SVN which we don't use anymore. I'm not sure how to turn that off.

Changed October 11, 2012 09:15PM UTC by scottgonzalez comment:6

milestone: TBD

Milestone TBD deleted