Side navigation
#3728 closed enhancement (invalid)
Opened December 20, 2008 02:10AM UTC
Closed October 12, 2009 11:37PM UTC
[autocomplete] - Cross-Site Scripting (XSS) Security Fix Suggestion
| Reported by: | richapps | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 1.3 |
| Component: | plugin | Version: | 1.2.6 |
| Keywords: | security, xss, autocomplete, cross-site | Cc: | richapps@gmail.com |
| Blocked by: | Blocking: |
Description
When the loaded data for autocomplete contains special characters, it exposes a cross-site scripting vulnerability. A simple fix is to escape certain characters (<, >, ") before they are applied to the screen. This will prevent unwanted malicious script executions.
On line 367 of version 1.0.2, replace the line:
var rows = data.split("\\n");
with this line:
var rows = data.replace(/\\</g,'<').replace(/\\>/g,'>').replace(/\\"/g,'"').split("\\n");
Attachments (0)
Change History (1)
Changed October 12, 2009 11:37PM UTC by comment:1
| resolution: | → invalid |
|---|---|
| status: | new → closed |
This is not a jQuery core bug. Please report plugin bugs to the plugin's author, or ask on the jQuery forums. jQuery UI bugs should be reported on the UI bug tracker, http://dev.jqueryui.com .