You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found an XSS that occurs with jquery-ujs and jquery-rails.
I have confirmed the operation with Safari and IE (and old version of Edge).
The problematic part is the following handleMethod part.
The value of href is used without escaping. (The method, csrfParam, csrfToken have the same problem, but it is rare for user input to enter this part.)
Whether the results of element[0].href were percent encoded was browser dependent.
Firefox and Chrome are encoded, Safari and Internet Explorer are XSS happened.
hello,
I found an XSS that occurs with
jquery-ujs
andjquery-rails
.I have confirmed the operation with Safari and IE (and old version of Edge).
The problematic part is the following
handleMethod
part.The value of href is used without escaping. (The
method
,csrfParam
,csrfToken
have the same problem, but it is rare for user input to enter this part.)This value is taken from the DOM
.href
PoC
The attack code can be included after
#"
if the user can write a link as follows:Whether the results of
element[0].href
were percent encoded was browser dependent.Firefox and Chrome are encoded, Safari and Internet Explorer are XSS happened.
On the other hand, rails-ujs included in Rails 5 is safe because it operates the DOM directly.
https://github.com/rails/rails/blob/master/actionview/app/assets/javascripts/rails-ujs/features/method.coffee#L26
This issue was reported to hackerone but was out of scope.
The text was updated successfully, but these errors were encountered: