Skip to main content

Bug Tracker

Side navigation

#3728 closed enhancement (invalid)

Opened December 20, 2008 02:10AM UTC

Closed October 12, 2009 11:37PM UTC

[autocomplete] - Cross-Site Scripting (XSS) Security Fix Suggestion

Reported by: richapps Owned by:
Priority: major Milestone: 1.3
Component: plugin Version: 1.2.6
Keywords: security, xss, autocomplete, cross-site Cc: richapps@gmail.com
Blocked by: Blocking:
Description

When the loaded data for autocomplete contains special characters, it exposes a cross-site scripting vulnerability. A simple fix is to escape certain characters (<, >, ") before they are applied to the screen. This will prevent unwanted malicious script executions.

On line 367 of version 1.0.2, replace the line:

var rows = data.split("\\n");

with this line:

var rows = data.replace(/\\</g,'<').replace(/\\>/g,'>').replace(/\\"/g,'"').split("\\n");

Attachments (0)
Change History (1)

Changed October 12, 2009 11:37PM UTC by dmethvin comment:1

resolution: → invalid
status: newclosed

This is not a jQuery core bug. Please report plugin bugs to the plugin's author, or ask on the jQuery forums. jQuery UI bugs should be reported on the UI bug tracker, http://dev.jqueryui.com .