Bug Tracker

Opened 6 years ago

Closed 6 years ago

#14789 closed bug (notabug)

SELECTOR INTERPRETED AS HTML : ticket - 11290

Reported by: parthasarathi.g@… Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 2.1.0
Keywords: Cc:
Blocked by: Blocking:

Description

ticket - 11290 is still possible in latest versions and this leads to xss vulnerability too.

http://jsfiddle.net/C8dgG/27/

Change History (1)

comment:1 Changed 6 years ago by gibson042

Resolution: notabug
Status: newclosed

The provided example has two problems:

  • Inclusion of raw <script>…</script> breaks the resultant HTML
  • element[attribute='<script>alert(1);</script><img src='sss' onerror='alert(1)'><b>zzz</b>'] is not a valid selector (the string against which to test "attribute" is closed immediately before "sss")

Fixing both problems demonstrates the lack of a vulnerability: http://jsfiddle.net/C8dgG/28/

However, fixing just the first reveals a parsing error in Sizzle: http://jsfiddle.net/C8dgG/29/

I will open a new ticket for the latter.

Note: See TracTickets for help on using tickets.