Search and Top Navigation
#8859 closed bug (fixed)
Opened November 27, 2012 12:16PM UTC
Closed November 27, 2012 03:53PM UTC
Last modified November 28, 2012 11:57AM UTC
Autocomplete: XSS in combobox demo
| Reported by: | DJtomy | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | 1.10.0 |
| Component: | ui.autocomplete | Version: | |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Hello,
I would like to report a XSS vulnerability that I've found on your site.
Adress:
http://jqueryui.com/autocomplete/#combobox
Steps to follow:
1. enter in the textbox something like test><script>alert(document.cookie)</script>
2. Press the Show All Items button or the Show underlying select button.
You'll see that the script is executed, which means that the autocomplete module makes the website vulnerable.
Even if the vulnerability might be useless in it's current context, it is a bad example for other webmasters that will fall into creating insecured websites folowing the on-site example. That's why I should this should be repaired as soon as possible.
Cheers!
Attachments (0)
Change History (5)
Changed November 27, 2012 12:52PM UTC by comment:1
| component: | ui.dialog → ui.autocomplete |
|---|---|
| status: | new → open |
| summary: | XSS in dialog → Autocomplete: XSS in combobox demo |
Changed November 27, 2012 03:53PM UTC by comment:2
| resolution: | → fixed |
|---|---|
| status: | open → closed |
Autocomplete demo: Combobox: Encode search term inside tooltips. Fixes #8859 - Autocomplete: XSS in combobox demo.
Changeset: 5fee6fd5000072ff32f2d65b6451f39af9e0e39e
Changed November 28, 2012 10:46AM UTC by comment:3
Replying to [comment:2 Scott González]:
Autocomplete demo: Combobox: Encode search term inside tooltips. Fixes #8859 - Autocomplete: XSS in combobox demo. Changeset: 5fee6fd5000072ff32f2d65b6451f39af9e0e39e
Just tested again, it is not fixed! XSS still working.
Changed November 28, 2012 11:53AM UTC by comment:4
DJTomy, the milestone is 1.10, which means it'll be fixed when that version is released.
Changed November 28, 2012 11:57AM UTC by comment:5
Replying to [comment:4 mikesherov]:
DJTomy, the milestone is 1.10, which means it'll be fixed when that version is released.
I understand, my bad! Sorry for the trouble!