Search and Top Navigation
#15201 closed bug (notabug)
Opened June 06, 2017 01:18PM UTC
Closed June 06, 2017 01:26PM UTC
Last modified June 06, 2017 01:49PM UTC
Button widget, label attribute DOM based XSS
| Reported by: | psych0tr1a | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | none |
| Component: | ui.button | Version: | 1.12.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Proof of concept:
<link rel="stylesheet" href="//code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<script src="//code.jquery.com/jquery-1.12.4.js"></script>
<script src="//code.jquery.com/ui/1.12.1/jquery-ui.js"></script>
<button>Button label</button>
<script>
$( "button" ).button({
label: "<svg/onload=alert(1)>"
});
</script>
Attachments (0)
Change History (5)
Changed June 06, 2017 01:26PM UTC by comment:1
| resolution: | → notabug |
|---|---|
| status: | new → closed |
Changed June 06, 2017 01:28PM UTC by comment:2
Sorry but you are absolutely wrong. Functionality means that there will be inserted text ane html, if the developers will use this functionality and there will be a user input then this is XSS.
Changed June 06, 2017 01:29PM UTC by comment:3
example of similar bug http://www.cvedetails.com/cve/CVE-2010-5312/
Changed June 06, 2017 01:32PM UTC by comment:4
another fixed bug
https://domstorm.skepticfx.com/modules?id=5739c438c9e0250300990935
Changed June 06, 2017 01:49PM UTC by comment:5
Those are both text options, this is an HTML option.
That's not XSS. That's you explicitly inserting a script.