XSS Vulnerability - Autocomplete Labels

[shadowman131]

Similar to ​http://dev.jqueryui.com/ticket/6016 .

Autocomplete's results include a 'label' field which is not properly escaped as text when inserted into the results list. This leads to XSS vulnerabilities for applications with a dynamic autocomplete. Example autocomplete return object:

[{"label":"<script type=\"text/javascript\">alert(\"XSS!\");</script>"}]

When received, the script is executed by the autocomplete's results list. This dangerous behavior should at least be noted somewhere in autocomplete's docs. A better option might be to escape the label as text by default, but also allow label to be specified as:

label: { html: '<img src="blah" />' }

To allow markup such as <img> tags to be used and allow the developer to proactively take responsibility.

[Scott González]

Autocomplete does encode the labels. Perhaps you're using an old version.

[shadowman131]

Um? I just looked at the source in jquery.ui.autocomplete line 288:

285 _renderItem: function( ul, item) { 286 return $( "<li></li>" ) 287 .data( "item.autocomplete", item ) 288 .append( "<a>" + item.label + "</a>" ) 289 .appendTo( ul ); 290 },

Clearly, it is not escaped. Yes, I also backtracked all the way back to the $.getJSON() request.

It could be fixed easily under _normalize...

[Scott González]

As I said earlier, you're looking at an old version of the plugin.

​http://github.com/jquery/jquery-ui/blob/master/ui/jquery.ui.autocomplete.js#L338

[shadowman131]

Ah, ok. Why is trac's Browse Source so far out of sync?

[Scott González]

Because it points at SVN which we don't use anymore. I'm not sure how to turn that off.

[Scott González]

Milestone TBD deleted