Skip to main content

Search and Top Navigation

#15199 closed bug (notabug)

Opened June 06, 2017 01:12PM UTC

Closed June 06, 2017 01:21PM UTC

Last modified June 06, 2017 01:49PM UTC

input widget, content argument DOM based XSS

Reported by: psych0tr1a Owned by:
Priority: minor Milestone: none
Component: ui.tooltip Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

Proof of concept:

<link rel="stylesheet" href="//">
<script src="//"></script>
<script src="//"></script>

<input title="Input help">

$( document ).tooltip({
content: "<img src=s onerror=alert(1)>"
Attachments (0)
Change History (4)

Changed June 06, 2017 01:21PM UTC by scottgonzalez comment:1

component: ui.widgetui.tooltip
resolution: → notabug
status: newclosed

That's not XSS. That's you explicitly inserting a script.

Changed June 06, 2017 01:29PM UTC by psych0tr1a comment:2

Sorry but you are absolutely wrong. Functionality means that there will be inserted text ane html, if the developers will use this functionality and there will be a user input then this is XSS.

Example of similar bug

Changed June 06, 2017 01:32PM UTC by psych0tr1a comment:3

Changed June 06, 2017 01:49PM UTC by scottgonzalez comment:4

Those are both text options. This is an HTML option. If you allow user input, then it's your responsibility to clean it.