Opened 10 years ago
Closed 10 years ago
#14789 closed bug (notabug)
SELECTOR INTERPRETED AS HTML : ticket - 11290
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | undecided | Milestone: | None |
Component: | unfiled | Version: | 2.1.0 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
ticket - 11290 is still possible in latest versions and this leads to xss vulnerability too.
Note: See
TracTickets for help on using
tickets.
The provided example has two problems:
<script>…</script>
breaks the resultant HTMLelement[attribute='<script>alert(1);</script><img src='sss' onerror='alert(1)'><b>zzz</b>']
is not a valid selector (the string against which to test "attribute" is closed immediately before "sss")Fixing both problems demonstrates the lack of a vulnerability: http://jsfiddle.net/C8dgG/28/
However, fixing just the first reveals a parsing error in Sizzle: http://jsfiddle.net/C8dgG/29/
I will open a new ticket for the latter.