Opened 11 years ago

Closed 11 years ago

Last modified 9 years ago

#6017 closed bug (notabug)

XSS Vulnerability - Autocomplete Labels

Reported by: shadowman131 Owned by:
Priority: major Milestone:
Component: ui.autocomplete Version: 1.8.4
Keywords: Cc:
Blocked by: Blocking:


Similar to .

Autocomplete's results include a 'label' field which is not properly escaped as text when inserted into the results list. This leads to XSS vulnerabilities for applications with a dynamic autocomplete. Example autocomplete return object:

[{"label":"<script type=\"text/javascript\">alert(\"XSS!\");</script>"}]

When received, the script is executed by the autocomplete's results list. This dangerous behavior should at least be noted somewhere in autocomplete's docs. A better option might be to escape the label as text by default, but also allow label to be specified as:

label: { html: '<img src="blah" />' }

To allow markup such as <img> tags to be used and allow the developer to proactively take responsibility.

Change History (6)

comment:1 Changed 11 years ago by Scott González

Resolution: invalid
Status: newclosed

Autocomplete does encode the labels. Perhaps you're using an old version.

comment:2 Changed 11 years ago by shadowman131

Resolution: invalid
Status: closedreopened

Um? I just looked at the source in jquery.ui.autocomplete line 288:

285 _renderItem: function( ul, item) { 286 return $( "<li></li>" ) 287 .data( "item.autocomplete", item ) 288 .append( "<a>" + item.label + "</a>" ) 289 .appendTo( ul ); 290 },

Clearly, it is not escaped. Yes, I also backtracked all the way back to the $.getJSON() request.

It could be fixed easily under _normalize...

comment:3 Changed 11 years ago by Scott González

Resolution: invalid
Status: reopenedclosed

As I said earlier, you're looking at an old version of the plugin.

comment:4 Changed 11 years ago by shadowman131

Ah, ok. Why is trac's Browse Source so far out of sync?

comment:5 Changed 11 years ago by Scott González

Because it points at SVN which we don't use anymore. I'm not sure how to turn that off.

comment:6 Changed 9 years ago by Scott González

Milestone: TBD

Milestone TBD deleted

Note: See TracTickets for help on using tickets.