Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS Vulnerability on closeText option of Dialog jQuery UI 1.11.4 #1622

Closed
wants to merge 44 commits into from
Closed

XSS Vulnerability on closeText option of Dialog jQuery UI 1.11.4 #1622

wants to merge 44 commits into from

Conversation

1001binary
Copy link

I couldn't submit the bug to the website http://bugs.jqueryui.com/newticket.

VULNERABILITY DETAILS

A potential bug enables us to inject the XSS content into closeText option using component ui dialog. As original of jQuery UI(https://api.jqueryui.com/dialog/#option-closeText), we shall not accept any HTML string inside it.

VERSION

Any site using the latest version jQuery UI 1.11.4 .

REPRODUCTION CASE

  • Create a new HTML page.
  • Inject this content into new page.
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>XSS in closeText option of component ui dialog</title>

    <script src="https://code.jquery.com/jquery-2.1.4.js"></script>
    <script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>
    <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/
jquery-ui.css">
    <script>
        $(document).ready(function () {
            $('#dialog').dialog({ closeText: '<script>alert("XSS")<\/script>' });
        });
    </script>
</head>
<body>
    <div id="dialog" title="Dialog Title">Content here!</div>
</body>
</html>
  • A alert popup was shown.
  • Completed.

IN CONCLUSION

We expect that the html string isn't allowed in the closeText option as well as the popup alert not shown. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.

Please see details at here http://jsfiddle.net/0wjdtcc6/

scottgonzalez and others added 30 commits November 3, 2014 17:59
@scottgonzalez
Build: Update links to AUTHORS.txt and LICENSE.txt in package.json
27a88c8
@eshcharc @scottgonzalez
DatePicker: datepicker_instActive released on instance destroy
47ceff8 
Fixes #10668
Closes gh-1362
(cherry picked from commit e5e3ca4)
@bperel @scottgonzalez
Autocomplete: Remove duplicate array key in demo
c303f7e 
Ref gh-1363
(cherry picked from commit 0fccf94)
@bperel @scottgonzalez
Demos: Remove duplicate CSS properties
152c2d1 
Closes gh-1363
(cherry picked from commit 14c4eae)
@scottgonzalez
Dialog: Remove leftover backcompat flag in tests
7b4d706 
(cherry picked from commit b2a477f)
@scottgonzalez
Selectmenu: Remove broken tabindex code
c3dcf4e 
(cherry picked from commit 1fb0879)
@scottgonzalez
Datepicker: Fixed month names and firstDay value in Arabic locale
9afe0f7 
Fixes #10035
Closes gh-1246
(cherry picked from commit 06231cf)
@tjvantoll @scottgonzalez
Tests: Adding missing dependency
4686458 
(cherry picked from commit ae577ae)
@scottgonzalez
Selectmenu: Properly parse value from options
dc2c948 
Fixes #10684
(cherry picked from commit 809cc0f)

Conflicts:

	ui/selectmenu.js
@scottgonzalez
Tabs: Suppress automatic activation when navigating with COMMAND
9dd1e73 
Fixes #9621
Closes gh-1383
(cherry picked from commit 6a242ab)
@scottgonzalez
Widget: Fix typos
28ab47c 
Closes gh-1386
(cherry picked from commit 347b2a5)
@agcolom @scottgonzalez
Easing: Fixed small typo in easing demo
3116967 
(cherry picked from commit fe75984)
@thg2k @scottgonzalez
Widget: Improve readability in $.widget.bridge()
69bd7a7 
Closes gh-1409
(cherry picked from commit 713688d)
@agcolom @scottgonzalez
Build: Remove dates from copyright notice
727a915 
Closes gh-1403
(cherry picked from commit c89cb74)
@scottgonzalez
Accordion: Set aria-expanded when collapsing
dc2b17d 
Fixes #10703
Closes gh-1413
(cherry picked from commit ab798cb)
@meyertee @scottgonzalez
Position: Restore old flip collision handling
276cd5c 
This reverts commit 7f808b2.

Fixes #8710
Ref gh-1071
(cherry picked from commit ebaaca7)
@meyertee @scottgonzalez
Position: Add unit tests for bug 8710
9db4057 
Ref #8710
Closes gh-1071
(cherry picked from commit 4de983c)
@SlimFoster @scottgonzalez
Core: Match on exact node name for :focusable and :tabbable
f1345e3 
Fixes #10747
Ref gh-1417
(cherry picked from commit c66842b)
@SlimFoster @scottgonzalez
Resizable: Match on exact node name
7ff9b28 
Fixes #10748
Closes gh-1417
(cherry picked from commit faefab8)
@lukeapage @scottgonzalez
DatePicker: Fix tests to have unique names
ad121b2 
(cherry picked from commit c217007)
@lukeapage @scottgonzalez
DatePicker: increase date range so that tests still pass through 2015
76ebe08 
(cherry picked from commit 0566e99)
@jzaefferer @scottgonzalez
Tests: Fix jquery reference in unit index file
66b31b3 
(cherry picked from commit d3bb0f7)
@jzaefferer @scottgonzalez
Tests: Fix jQuery version references to match files in external/
fcb26aa 
(cherry picked from commit a3b43ee)
@dekajp @scottgonzalez
Slider: Fix max calculation, when step is float
dfa3a9f 
Fixes #10721
Closes gh-1398
(cherry picked from commit ae1d6d5)
@lukeapage @scottgonzalez
Docs: Clarify PHP Usage
da67914 
Clarify that PHP is not required for testing, add a link to the
CONTRIBUTING page and tidy up.

Closes gh-1418
(cherry picked from commit 8cc636d)
@mikesherov @scottgonzalez
Resizable: Whitespace Cleanup
105f4a5 
(cherry picked from commit 337e411)
@mikesherov @scottgonzalez
Resizable: correct width when grid approaches zero
0a0db09 
Fixes #10590
(cherry picked from commit 9493839)
@marcuswarrenca @scottgonzalez
Sortable: Add support for iframes
fa460f3 
Fixes #9604
Closes gh-1443
(cherry picked from commit 17c7f69)
@scottgonzalez
Build: Update authors list
8dfc67d
@scottgonzalez
Build: Updating the 1-11-stable version to 1.11.4-pre.
aec0b62
Krinkle and others added 14 commits February 20, 2015 11:14
@Krinkle @scottgonzalez
Build: Use browserSets from testswarm config
258dbe3 
It's already in jQuery's Jenkins node-testswarm config
(and set to the same value) but not used yet.

Reference it to make sure it keeps working in the future.

Closes gh-1452
(cherry picked from commit 1e7a1e8)
@tjvantoll @scottgonzalez
Sortable: Redetermine floating flag when recalculating positions
189f1d4 
This addresses a bug where users initialize empty sortable lists are
add items dynamically. In this situation refresh() should recognize the
position and orientation of the new items.

Fixes #7498
Closes gh-1381
(cherry picked from commit f656aeb)
@mikesherov @scottgonzalez
Draggable: Ensure parent is correct after dragging through sortable
b371063 
Fixes #10669
(cherry picked from commit d8077dc)
@tjvantoll @scottgonzalez
Dialog: Stop tracking instance in destroy() to avoid memory leaks
04ab6e0 
Fixes #11125
Closes gh-1448
(cherry picked from commit ec1f393)
@scottgonzalez
Accordion: Handle box-sizing: border-box in animations
de75b40 
Fixes #9264
Closes gh-1287
Closes gh-1459
(cherry picked from commit 4b017b4)
@patrixd @scottgonzalez
Resizable: Modified to allow jquery objects as handles
65f31c2 
Custom handlers did not work as jquery objects (outside the resizable element)

Fixes #9658
Closes gh-1445
(cherry picked from commit 18e301f)
@benmosher @scottgonzalez
Resizable: alsoResize more than one element of a jQuery selection
31e7099 
Fixes #4666
Closes gh-1324
Closes gh-1461
(cherry picked from commit 19783fd)
@atomiomi @scottgonzalez
Slider: Modified to allow value to reach max value with float step
0f99e9c 
Fixes #11286
Closes gh-1465
(cherry picked from commit 60c00cd)
@scottgonzalez
Dialog: Fix typo
d699725 
Closes gh-1447

Thanks Spencer Davis
(cherry picked from commit d95c23a)
@oemmes @scottgonzalez
Sortable: Append a tr with td to the placeholder of tbody elements
ddc1b32 
When sorting tbody elements of a table the placeholder needs to have a tr with
td elements to be visible. The appended elements are created in the same way
as for the placeholder of a tr element; the first row of the sorted tbody is
used for that.

Fixes #10682
Closes gh-1380
(cherry picked from commit 962e05d)
@scottgonzalez
Tabs: Use standard promise methods for jqXHR
1c92d68 
The old success(), error() and complete() methods have been deprecated for a
while and have been removed in upstream master.

Closes gh-1455
(cherry picked from commit c1dfb98)
@mziech @scottgonzalez
Tooltip: Register event handlers before content is loaded
88291ff 
Fixes #8740
Closes gh-1053
Closes gh-1456
(cherry picked from commit c4e367b)
@scottgonzalez
Build: Update authors list
40cdb5f
@scottgonzalez
Build: Updating the 1-11-stable version to 1.11.5-pre.
b93df29
@jquerybot
Copy link

Thank you for your pull request. It looks like this may be your first contribution to a jQuery Foundation project, if so we need you to sign our Contributor License Agreement (CLA).

📝 Please visit http://contribute.jquery.org/CLA/ to sign.

After you signed, the PR is checked again automatically after a minute. If there's still an issue, please reply here to let us know.

If you've already signed our CLA, it's possible your git author information doesn't match your CLA signature (both your name and email have to match), for more information, check the status of your CLA check.

@1001binary 1001binary closed this Oct 20, 2015
@periklis periklis mentioned this pull request Oct 28, 2018
Closed
78 tasks
@MathiasReker MathiasReker mentioned this pull request Nov 12, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.