jquery-confirm icon indicating copy to clipboard operation
jquery-confirm copied to clipboard

Published 20 hours ago verified publisher icon craftpip

[security] `setIcon`and `closeIconClass` can be used to inject arbitrary HTML

Open Rob--W opened this issue 5 years ago • 1 comments

jquery-confirm version: v3.3.4

I'm submitting a ... (check one with "x") [x] bug report [ ] feature request [ ] support request

Current behavior:

The setIcon method and the closeIconClass parameter can be used to inject HTML.

Expected behavior:

setIcon and closeIconClass should set a class name, and not permit HTML injection.

Steps to reproduce:

// This shows succesful script execution: alert(0) is executed, while it should not be!
$.confirm().setIcon('"><img src onerror="alert(0)"><"')

Related code:

https://github.com/craftpip/jquery-confirm/blob/v3.3.4/js/jquery-confirm.js#L834 https://github.com/craftpip/jquery-confirm/blob/v3.3.4/js/jquery-confirm.js#L753

Other information:

This bug can cause security issues (XSS), when a library consumer passes external values to setIcon. To fix this, use addClass instead of concatenating HTML strings.

Rob--W avatar Feb 17 '20 15:02 Rob--W

‎‍🛠️ A fix has been provided for this issue. Please reference: https://github.com/418sec/jquery-confirm/pull/2

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.

huntr-helper avatar Aug 20 '20 12:08 huntr-helper