XSS possible due to use of jQuery.html()

Question

XSS possible due to use of jQuery.html()

ldrick opened this issue 9 years ago · 3 comments

If a value contains bad HTML, this will be executed within the function suggest(data).

'<img src="x" onerror="alert(1)">'

This can be used as example.

Fix could be, that renderItem() would work with HTMLElement or jQuery as return-type, but this will break the API.
Example:

renderItem: function(item) {
    var div = $(document.createElement("DIV"));
    return div.addClass("autocomplete-suggestion").text(item).data("val", item);
}

On top of that, rewriting the method suggest(data) is required, to be able to work with HTMLElement or jQuery. I've done it like this, without breaking the API for String:

function suggest(data) {
    var val = that.val();
    that.cache[val] = data;
    that.sc.empty();
    if (data.length && val.length >= o.minChars) {
        // using strings is unsecure
        // but old API #renderItem returns string
        var s = '';
        for (var i = 0; i < data.length; i++) {
            var rendered = o.renderItem(data[i], val);
            if (typeof rendered === "string") {
                // old API support
                s += o.renderItem(data[i], val);
            } else {
                that.sc.append(o.renderItem(data[i], val));
            }
        }
        // old API support
        if (s.length > 0) {
            // this enables XSS
            that.sc.html(s);
        }
        that.updateSC(0);
    } else {
        that.sc.hide();
    }
}

Answer 1 · 2016-04-13T11:16:26.000Z

I don't see any reason for this overhead. The developer is fully in control of what is sent as suggestions to the plugin. Escaping should not be part of the plugin code.

Answer 2 · 2016-04-13T12:23:35.000Z

Hi, that is a valid point of view, but it is not as easy to do the correct encoding as it seems to be.
OWASP XSS Prevention Cheet Sheet > Why...

Currently renderItem() supports one parameter "item".
Due to item is used within this line twice:

return '<div class="autocomplete-suggestion" data-val="' + item + '">' + item.replace(re, "<b>$1</b>") + '</div>';

First as attribute and second as content of the div, one must choose the correct encoding:
HTML or HTML-Attribute? I think, this could often be done in the wrong way.

Answer 3 · 2016-04-13T19:26:08.000Z

It's definitely good to know about the issue. Maybe it should be mentioned as a warning in the plugin documentation ...