XSS vulnerability

[emizzz]

Magnific Popup uses a parameter called preloader, which by default is set to true.

Using a specifically crafted payload (in src URL) two things happen:

Initially, the text variable in the updateStatus function is set to “Loading…”

Then it takes the value passed to it by the default error handling function (which contains the URL).

mfp.updateStatus('error', imgSt.tError.replace('%url%', item.src) );

The problem here is that the .html() function does not escape HTML and could be used to inject code.

The vulnerability, if exploitable, can even lead to "stored XSS".

[BloodyIron]

Looks legit to me. (as in legit threat)

[emizzz]

Do you mean that this is intended as a feature?

[BloodyIron]

As in the fact it does not escape html is a legitimate security concern. I am not a developer, I simply spotted this and wanted to state that I support that this needs to be fixed.

[thexmanxyz]

@emizzz I agree that it would be great to escape the output passed to .html() before writing it to the DOM. Granted. But what is the potential attack vector that you expect here to happen? How you expect that someone is able to place a payload encoded in the href attribute of an <a> tag? Escaping is import but I assume the potential risk here is minor.

I can only imagine one single situation where you would be able to inject here a custom payload and this would be user generated href values that where not accordingly santinized. Hence and consequently already stored in an unsantinized format in your storage backend of choice and then rendered again on front-end. But at this point you already rendered unsantinized stuff in your DOM which is already a potential risk / vector for code injection.

Just meant as a clarification of impact.