Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#15048 closed bug (fixed)

XSS issue in autocomplete demo

Reported by: Christian Wenz Owned by: Christian Wenz
Priority: minor Milestone: 1.12.2
Component: [meta] ui.dev Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

Description (last modified by Ryan J Ollos)

The search.php file in the autocomplete demo does not validate the value of $_GET["callback"] before outputting it, thus allowing Cross-Site Scripting.

The PR adds a simple check for alphanumeric characters and the underscore, which is what jQuery uses by default for JSONP requests.

Change History (8)

comment:1 Changed 3 years ago by Ryan J Ollos

Description: modified (diff)

comment:2 Changed 3 years ago by Jörn Zaefferer

Owner: set to Christian Wenz
Status: newpending

The fix looks fine to me. I'm curious: What's the attack vector here? Can you be more specific than "XSS"?

comment:3 Changed 3 years ago by Scott González

As far as I can tell, there is no real attack vector. This is just about general practices for sanitizing user input. I'm fine landing the PR, but unless someone can point out an actual security vulnerability, I don't believe there is a bug.

comment:4 Changed 3 years ago by Scott González

Resolution: notabug
Status: pendingclosed

The team cannot figure out any actual attack vectors. The only attack vector that could occur would be on the client machine that's making the request. For our demos, there's no attack vector on that side either.

comment:5 Changed 3 years ago by Christian Wenz

sorry for replying so late - somehow didn't get the email notifications :( Attack vector is loading search.php?term=X&callback=script_tag_with_some_code in the browser. See also the discussion for PR 1747. Please reopen!

comment:6 Changed 3 years ago by Scott González

Component: ui.autocomplete[meta] ui.dev
Resolution: notabug
Status: closedreopened

comment:7 Changed 3 years ago by Scott González

Resolution: fixed
Status: reopenedclosed

In 69e66ea6:

Autocomplete: Escape HTML tags in callback name to avoid XSS in demo

Fixes #15048

comment:8 Changed 3 years ago by Scott González

Milestone: none1.12.2
Note: See TracTickets for help on using tickets.