Opened 10 years ago
Closed 10 years ago
#3728 closed enhancement (invalid)
[autocomplete] - Cross-Site Scripting (XSS) Security Fix Suggestion
| Reported by: | richapps | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 1.3 |
| Component: | plugin | Version: | 1.2.6 |
| Keywords: | security, xss, autocomplete, cross-site | Cc: | richapps@… |
| Blocked by: | Blocking: |
Description
When the loaded data for autocomplete contains special characters, it exposes a cross-site scripting vulnerability. A simple fix is to escape certain characters (<, >, ") before they are applied to the screen. This will prevent unwanted malicious script executions.
On line 367 of version 1.0.2, replace the line:
var rows = data.split("\n");
with this line:
var rows = data.replace(/\</g,'<').replace(/\>/g,'>').replace(/\"/g,'"').split("\n");
Note: See
TracTickets for help on using
tickets.
This is not a jQuery core bug. Please report plugin bugs to the plugin's author, or ask on the jQuery forums. jQuery UI bugs should be reported on the UI bug tracker, http://dev.jqueryui.com .