Side navigation
closed bug (fixed)
Opened June 06, 2011 05:16AM UTC
Closed June 19, 2012 03:30PM UTC
Last modified April 17, 2013 11:31PM UTC
XSS with $(location.hash) and $(#<tag>) is needed?
| Reported by: | jquery@ma.la | Owned by: | dmethvin |
|---|---|---|---|
| Priority: | blocker | Milestone: | 1.7 |
| Component: | core | Version: | 1.6.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
I found and reported this xss pattern in evernote.com, skype.com and many famous websites.
and many jQuery plugin has this XSS pattern.
https://github.com/rodbegbie/threequarters/blob/master/htdocs/design/threequarters.js#L4-5
https://github.com/vitch/jScrollPane/blob/master/script/jquery.jscrollpane.js#L1013-1016
https://github.com/kastner/audio-sinner/blob/master/public/javascripts/app.js#L19
https://github.com/steadicat/labels/blob/master/tabs.js#L5-7
"$(location.hash)" expected CSS selector in many case, but this code also can create html element.
the quick patch by jquery is here
- quickExpr = /^(?:[^<]*(<[\\w\\W]+>)[^>]*$|#([\\w\\-]*)$)/, + quickExpr = /^(?:[^#<]*(<[\\w\\W]+>)[^>]*$|#([\\w\\-]*)$)/,