Skip to main content

Search and Top Navigation

#7272 closed bug (worksforme)

Opened April 20, 2011 03:56AM UTC

Closed May 16, 2011 01:15PM UTC

Combobox demo: XSS vulnerability

Reported by: plentz Owned by:
Priority: minor Milestone: 1.9.0
Component: ui.autocomplete Version: 1.8.11
Keywords: Cc:
Blocked by: Blocking:
Description

The values of the select options should be treated as text, not html.

Attachments (0)
Change History (3)

Changed May 03, 2011 12:36PM UTC by scottgonzalez comment:1

description: If the elements of the combobox contains any xss, it will be executed when the user try to filter its elements. \ \ github pullrequest https://github.com/jquery/jquery-ui/pull/158 \ github commit https://github.com/plentz/jquery-ui/commit/aaa51190ad949c99228f425bbd2bad115977e7b0The values of the select options should be treated as text, not html.
status: newopen
summary: Autocomplete-combobox has a serious xss vulnerabilityCombobox demo: XSS vulnerability

Changed May 13, 2011 11:11PM UTC by davidmurdoch comment:2

This looks fixed already.

Changed May 16, 2011 01:15PM UTC by scottgonzalez comment:3

resolution: → worksforme
status: openclosed

This actually doesn't seem to have been a problem.