Opened 7 years ago
Closed 7 years ago
#14731 closed bug (worksforme)
XSS Vulnerability on _attachDatepicker function
Reported by: | phatly27 | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | none |
Component: | ui.datepicker | Version: | 1.9.2 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
VULNERABILITY DETAILS A potential bug enables us to inject the XSS content into attribute (with format "date: [PROPERTY_IN_DEFAULTS_DATEPICKER]") in any HTML element using _attachDatepicker function of component ui datepicker. This function used the eval syntax to evaluate the javascript code dynamically.
VERSION Any site using the older versions from version 1.9.2 back to lowest version.
REPRODUCTION CASE
- Create a new HTML page.
- Inject this content into new page.
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> <script src="https://code.jquery.com/jquery-2.1.4.min.js"></script> <script src="https://code.jquery.com/ui/1.9.2/jquery-ui.min.js"></script> <script> $(document).ready(function () { $.datepicker.setDefaults({ buttonText: 'abcde' }); $.datepicker._attachDatepicker(document.getElementById("abc")); $('#datepicker').datepicker(); }); </script> </head> <body> <div id="abc" date:buttonText="alert('XSS')"> <input name="datepicker" id="datepicker" type="text"/> </div> </body> </html>
- A alert popup was shown.
- Completed.
IN CONCLUSION we expect that the alert popup shouldn't be displayed and eval syntax should be removed instead. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.
Please see details at here http://jsfiddle.net/wanc8t9g/.
None of these versions are supported any more. Any site using such an old version isn't going to be any safer even if we released a new 1.9.x, which we won't. I'm closing as works for me since it has already been fixed for a long time.