#8859 closed bug (fixed)
Autocomplete: XSS in combobox demo
| Reported by: | DJtomy | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | 1.10.0 |
| Component: | ui.autocomplete | Version: | |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Hello, I would like to report a XSS vulnerability that I've found on your site.
Adress: http://jqueryui.com/autocomplete/#combobox
Steps to follow:
- enter in the textbox something like test><script>alert(document.cookie)</script>
- Press the Show All Items button or the Show underlying select button.
You'll see that the script is executed, which means that the autocomplete module makes the website vulnerable.
Even if the vulnerability might be useless in it's current context, it is a bad example for other webmasters that will fall into creating insecured websites folowing the on-site example. That's why I should this should be repaired as soon as possible.
Cheers!
Change History (5)
comment:1 Changed 10 years ago by
| Component: | ui.dialog → ui.autocomplete |
|---|---|
| Status: | new → open |
| Summary: | XSS in dialog → Autocomplete: XSS in combobox demo |
comment:2 follow-up: 3 Changed 10 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
comment:3 Changed 10 years ago by
Replying to Scott González:
Autocomplete demo: Combobox: Encode search term inside tooltips. Fixes #8859 - Autocomplete: XSS in combobox demo.
Changeset: 5fee6fd5000072ff32f2d65b6451f39af9e0e39e
Just tested again, it is not fixed! XSS still working.
comment:4 follow-up: 5 Changed 10 years ago by
DJTomy, the milestone is 1.10, which means it'll be fixed when that version is released.
comment:5 Changed 10 years ago by
Replying to mikesherov:
DJTomy, the milestone is 1.10, which means it'll be fixed when that version is released.
I understand, my bad! Sorry for the trouble!
Autocomplete demo: Combobox: Encode search term inside tooltips. Fixes #8859 - Autocomplete: XSS in combobox demo.