Opened 5 years ago
Closed 2 years ago
#15284 closed bug (fixed)
XSS Vulnerability on text options of jQuery UI datepicker
Reported by: | andycyork | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | none |
Component: | ui.datepicker | Version: | 1.12.1 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
similar to https://github.com/jquery/api.jqueryui.com/issues/281 but applies to the datepicker
to recreate
Create a new HTML page.
Inject this content into new page:
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>XSS in options of datepicker</title> <script src="https://code.jquery.com/jquery-3.3.1.js"></script> <script src="https://code.jquery.com/ui/1.12.1/jquery-ui.js"></script> <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.12.1/themes/base/jquery-ui.css"> <script> $(document).ready(function () { $( "#datepicker" ).datepicker({ showButtonPanel: true, showOn: "both", closeText: '<script>alert("closeText XSS")<\/script>', currentText: '<script>alert("currentText XSS")<\/script>', prevText: '<script>alert("prevText XSS")<\/script>', nextText: '<script>alert("nextText XSS")<\/script>', buttonText: '<script>alert("buttonText XSS")<\/script>', appendText: '<script>alert("appendText XSS")<\/script>' }); }); </script> </head> <body> <p>Date: <input type="text" id="datepicker"></p> </body> </html>
on load, alerts are shown for appendText & buttonText
after clicking the input control, alerts are shown for closeText, currentText, prevText & nextText
The scripted alerts should not be shown - an attacker can take advantage of injecting malicious XSS content into website.
Note: See
TracTickets for help on using
tickets.
Fixed in https://github.com/jquery/jquery-ui/pull/1953