Skip to main content

Search and Top Navigation

#6016 closed bug (fixed)

Opened September 03, 2010 04:07PM UTC

Closed November 26, 2012 09:30AM UTC

Dialog: Title XSS Vulnerability

Reported by: shadowman131 Owned by:
Priority: major Milestone: 1.10.0
Component: ui.dialog Version: 1.8.4
Keywords: Cc:
Blocked by: Blocking:

jQuery.ui.dialog's title option is not properly escaped before being set in the dom, resulting in an XSS vulnerability for applications with dynamic titles. For instance, try:

$('<div>Hi</div>').dialog({title:'<script type="text/javascript">alert("XSS");</script>"});

If this is the desired behaviour, it should at least be noted somewhere. The best reason I could think of for this to be desired would be to use icons in <img> tags in the title. For this, maybe something like:


title: { html: '<img src="blah">' }


Would be more appropriate, as the developer indicates that they mean to use full HTML and are aware of the risks.

Attachments (0)
Change History (19)

Changed September 03, 2010 05:10PM UTC by scottgonzalez comment:1

resolution: → invalid
status: newclosed

The fact that you can provide HTML doesn't create a vulnerability. This would be like saying that jQuery has an XSS vulnerability because it provides a .html() method.

Changed September 03, 2010 06:26PM UTC by shadowman131 comment:2

I strongly disagree - as I said in the bug, at least make it apparent in the documentation. To me, a dialog title is a text attribute - I'm sure others would agree. It doesn't make sense to not escape it by default, and not even mention the lack of escaping.

Changed September 03, 2010 06:42PM UTC by scottgonzalez comment:3

The documentation has been updated.

Changed May 02, 2011 07:16PM UTC by scottgonzalez comment:4

milestone: TBD1.9
resolution: invalid
status: closedreopened

Changed May 02, 2011 07:17PM UTC by gnarf comment:5

Even scarier is using the

attrib of the div itself:

Changed May 06, 2011 11:56PM UTC by Xavi comment:6

I agree with shadowman13 (the OP) -- titles and labels ''should'' be html escaped by default. I feel most people assume that titles and label are purely textual attributes and as a result don't perceive them as possible XSS vulnerabilities.

For the the use case where someone wants to add an image to the title, we can require them to pass in a jquery object:

$("<div>Poppit</div>").dialog({ title: $("<img src='cheggit.png' />") });

Requiring a jquery object also improves error detection/reporting. Currently, if a user accidentally sets the title to a malformed piece of html (e.g. "<img src='cheggit.png'/"), jquery-ui will silently fail and leave the title blank. As opposed to passing in $("<img src='cheggit.png'/") which would immediately throw an exception.

IMO, this change would lead to less surprising code and better error handling.

Changed October 11, 2012 02:47PM UTC by scottgonzalez comment:7


Changed October 16, 2012 06:03PM UTC by dalekocian comment:8

owner: → dalekocian
status: reopenedassigned

Changed November 17, 2012 03:19PM UTC by jzaefferer comment:9

If we escape the title by default, we need a way to allow the user to pass in HTML anyway. The suggestion here by Xavi is to accept a jQuery object. Do we have any examples of that elsewhere? Other ideas or opinions?

Changed November 17, 2012 03:26PM UTC by mikesherov comment:10

Requiring a jQuery object everywhere a perceived XSS exists seems like a slippery slope to me. I'd rather just doc this, but I haven't really thought hard about this.

Changed November 17, 2012 03:31PM UTC by scottgonzalez comment:11

My plan was to just switch to text instead of HTML, like we did for autocomplete.

Changed November 17, 2012 04:36PM UTC by mikesherov comment:12

Oh, if the plan is to NOT allow HTML, sure. If the plan is jQuery Obj = HTML vs. string = text, I'm against that as a generic strategy.

Changed November 17, 2012 04:38PM UTC by jzaefferer comment:13

owner: dalekocian
status: assignedopen

Can we offer a simpler override then the one necessary for autocomplete? Even if its not becoming an option, this isn't exactly trivial:

The idea about accepting a jQuery object doesn't sound so bad.

Changed November 18, 2012 03:23AM UTC by scottgonzalez comment:14

An extension for dialog would be simpler. Autocomplete is complicated because of data sources and plain text searching across nodes. Accepting a jQuery object for the title option seems extremely confusing to me. I understand the logic on a technical level, but from an API standpoint, it's unintuitive, confusing, and cumbersome.

Changed November 18, 2012 02:42PM UTC by jzaefferer comment:15

Here's a potential patch against the dialog branch, extracting setting of the title into a

method, making it pretty easy to override. The only drawback is that in order to set the current implicit default, I still have to use html:

Is that acceptable?

Changed November 18, 2012 03:14PM UTC by mikesherov comment:16

I commented on the gist. I like the approach, it just appeared to me that there's an error. Perhaps I just don't know that code well enough yet.

Changed November 18, 2012 10:49PM UTC by jzaefferer comment:17

The patch snippets were misleading, along with an incomplete refactoring. Also commented on the gist.

Changed November 26, 2012 09:13AM UTC by jzaefferer comment:18

summary: XSS Vulnerability - Dialog TitleDialog: Title XSS Vulnerability

Changed November 26, 2012 09:30AM UTC by Jörn Zaefferer comment:19

resolution: → fixed
status: openclosed

Dialog: Extract setting the title into a _title method, use .text() to prevent XSS. Fixes #6016 - Dialog: Title XSS Vulnerability.

Changeset: 7e9060c109b928769a664dbcc2c17bd21231b6f3