Side navigation
#14789 closed bug (notabug)
Opened February 13, 2014 07:52AM UTC
Closed February 13, 2014 08:24PM UTC
SELECTOR INTERPRETED AS HTML : ticket - 11290
| Reported by: | parthasarathi.g@zohocorp.com | Owned by: | |
|---|---|---|---|
| Priority: | undecided | Milestone: | None |
| Component: | unfiled | Version: | 2.1.0 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
ticket - 11290 is still possible in latest versions and this leads to xss vulnerability too.
Attachments (0)
Change History (1)
Changed February 13, 2014 08:24PM UTC by comment:1
| resolution: | → notabug |
|---|---|
| status: | new → closed |
The provided example has two problems:
<script>…</script>breaks the resultant HTMLelement[attribute='<script>alert(1);</script><img src='sss' onerror='alert(1)'><b>zzz</b>']is not a valid selector (the string against which to test "attribute" is closed immediately before "sss")Fixing both problems demonstrates the lack of a vulnerability: http://jsfiddle.net/C8dgG/28/
However, fixing just the first reveals a parsing error in Sizzle: http://jsfiddle.net/C8dgG/29/
I will open a new ticket for the latter.