Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#15200 closed bug (notabug)

Checkboxradio widget, label attribute DOM based XSS

Reported by: psych0tr1a Owned by:
Priority: minor Milestone: none
Component: ui.checkbxoradio Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

Description

Proof of concept:

<link rel="stylesheet" href="//code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<script src="//code.jquery.com/jquery-1.12.4.js"></script>
<script src="//code.jquery.com/ui/1.12.1/jquery-ui.js"></script>

<fieldset>
  <legend>Select a Location: </legend>
  <label for="radio-1">New York</label>
  <input type="radio" name="radio-1" id="radio-1">
  <label for="radio-2">Paris</label>
  <input type="radio" name="radio-1" id="radio-2">
  <label for="radio-3">London</label>
  <input type="radio" name="radio-1" id="radio-3">
</fieldset>
 <script>
$( "input[type='radio']" ).checkboxradio({
  label: "<svg/onload=alert(1)>"
});
</script>

Change History (4)

comment:1 Changed 2 years ago by Scott González

Resolution: notabug
Status: newclosed

That's not XSS. That's you explicitly inserting a script.

comment:2 Changed 2 years ago by psych0tr1a

Sorry but you are absolutely wrong. Functionality means that there will be inserted text ane html, if the developers will use this functionality and there will be a user input then this is XSS. Example of similar bug http://www.cvedetails.com/cve/CVE-2010-5312/

comment:4 Changed 2 years ago by Scott González

Those are both text options, this is an HTML option.

Note: See TracTickets for help on using tickets.