#15048 closed bug (fixed)
XSS issue in autocomplete demo
| Reported by: | Christian Wenz | Owned by: | Christian Wenz |
|---|---|---|---|
| Priority: | minor | Milestone: | 1.12.2 |
| Component: | [meta] ui.dev | Version: | 1.12.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description (last modified by )
The search.php file in the autocomplete demo does not validate the value of $_GET["callback"] before outputting it, thus allowing Cross-Site Scripting.
The PR adds a simple check for alphanumeric characters and the underscore, which is what jQuery uses by default for JSONP requests.
Change History (8)
comment:1 Changed 7 years ago by
| Description: | modified (diff) |
|---|
comment:2 Changed 7 years ago by
| Owner: | set to Christian Wenz |
|---|---|
| Status: | new → pending |
comment:3 Changed 7 years ago by
As far as I can tell, there is no real attack vector. This is just about general practices for sanitizing user input. I'm fine landing the PR, but unless someone can point out an actual security vulnerability, I don't believe there is a bug.
comment:4 Changed 7 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | pending → closed |
The team cannot figure out any actual attack vectors. The only attack vector that could occur would be on the client machine that's making the request. For our demos, there's no attack vector on that side either.
comment:5 Changed 7 years ago by
sorry for replying so late - somehow didn't get the email notifications :( Attack vector is loading search.php?term=X&callback=script_tag_with_some_code in the browser. See also the discussion for PR 1747. Please reopen!
comment:6 Changed 7 years ago by
| Component: | ui.autocomplete → [meta] ui.dev |
|---|---|
| Resolution: | notabug |
| Status: | closed → reopened |
comment:8 Changed 7 years ago by
| Milestone: | none → 1.12.2 |
|---|
The fix looks fine to me. I'm curious: What's the attack vector here? Can you be more specific than "XSS"?