Potentail XSS vulnerability
gomez114 opened this issue · 0 comments
gomez114 commented
The input variable 'operation'
// handle contextMenu triggers
$.fn.contextMenu = function (operation) {
var $t = this, $o = operation;
if (this.length > 0) { // this is not a build on demand menu
if (typeof operation === 'undefined') {
this.first().trigger('contextmenu');
...
...
} else if ($.isPlainObject(operation)) {
operation.context = this;
$.contextMenu('create', operation);
then call the function 'contexMenu', the operation pass to options, and pass to o
$.contextMenu = function (operation, options) {
if (typeof operation !== 'string') {
options = operation;
operation = 'create';
}
if (typeof options === 'string') {
options = {selector: options};
} else if (typeof options === 'undefined') {
options = {};
}
// merge with default options
var o = $.extend(true, {}, defaults, options || {});
in the end, o pass to contex,$-function evaluates its input as JavaScript-code instead of as a CSS-selector.The problem is that $(context) will execute JavaScript code if the value of context is a string like "<img src=x onerror=alert(1)>".
case 'destroy':
var $visibleMenu;
if (_hasContext) {
// get proper options
var context = o.context;
$.each(menus, function (ns, o) {
if (!o) {
return true;
}
// Is this menu equest to the context called from
if (!$(context).is(o.selector)) {
return true;
}