Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#15199 closed bug (notabug)

input widget, content argument DOM based XSS

Reported by: psych0tr1a Owned by:
Priority: minor Milestone: none
Component: ui.tooltip Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

Description

Proof of concept:

<link rel="stylesheet" href="//code.jquery.com/ui/1.12.0/themes/smoothness/jquery-ui.css">
<script src="//code.jquery.com/jquery-1.12.4.js"></script>
<script src="//code.jquery.com/ui/1.12.1/jquery-ui.js"></script>

<input title="Input help">

<script>
$( document ).tooltip({
content: "<img src=s onerror=alert(1)>"
});
</script>

Change History (4)

comment:1 Changed 22 months ago by Scott González

Component: ui.widgetui.tooltip
Resolution: notabug
Status: newclosed

That's not XSS. That's you explicitly inserting a script.

comment:2 Changed 22 months ago by psych0tr1a

Sorry but you are absolutely wrong. Functionality means that there will be inserted text ane html, if the developers will use this functionality and there will be a user input then this is XSS. Example of similar bug http://www.cvedetails.com/cve/CVE-2010-5312/

comment:4 Changed 22 months ago by Scott González

Those are both text options. This is an HTML option. If you allow user input, then it's your responsibility to clean it.

Note: See TracTickets for help on using tickets.