#6017 closed bug (notabug)
XSS Vulnerability - Autocomplete Labels
Reported by: | shadowman131 | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | ui.autocomplete | Version: | 1.8.4 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
Similar to http://dev.jqueryui.com/ticket/6016 .
Autocomplete's results include a 'label' field which is not properly escaped as text when inserted into the results list. This leads to XSS vulnerabilities for applications with a dynamic autocomplete. Example autocomplete return object:
[{"label":"<script type=\"text/javascript\">alert(\"XSS!\");</script>"}]
When received, the script is executed by the autocomplete's results list. This dangerous behavior should at least be noted somewhere in autocomplete's docs. A better option might be to escape the label as text by default, but also allow label to be specified as:
label: { html: '<img src="blah" />' }
To allow markup such as <img> tags to be used and allow the developer to proactively take responsibility.
Change History (6)
comment:1 Changed 12 years ago by
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 Changed 12 years ago by
Resolution: | invalid |
---|---|
Status: | closed → reopened |
Um? I just looked at the source in jquery.ui.autocomplete line 288:
285 _renderItem: function( ul, item) { 286 return $( "<li></li>" ) 287 .data( "item.autocomplete", item ) 288 .append( "<a>" + item.label + "</a>" ) 289 .appendTo( ul ); 290 },
Clearly, it is not escaped. Yes, I also backtracked all the way back to the $.getJSON() request.
It could be fixed easily under _normalize...
comment:3 Changed 12 years ago by
Resolution: | → invalid |
---|---|
Status: | reopened → closed |
As I said earlier, you're looking at an old version of the plugin.
http://github.com/jquery/jquery-ui/blob/master/ui/jquery.ui.autocomplete.js#L338
comment:5 Changed 12 years ago by
Because it points at SVN which we don't use anymore. I'm not sure how to turn that off.
Autocomplete does encode the labels. Perhaps you're using an old version.