bootstrap-file-input
bootstrap-file-input copied to clipboard
Published
20 hours ago •
grevory
grevory
[xss] - XSS via filename
https://github.com/grevory/bootstrap-file-input/blob/master/bootstrap.file-input.js#L112:
$(this).parent().after('<span class="file-input-name">'+fileName+'</span>');
This opens up users of this library to XSS attacks [1]. fileName should be escaped before it is used inside raw HTML.
[1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
I would suggest a fix that uses textContent or jQuery's text() method:
diff --git a/vendor/assets/javascripts/bootstrap-fileinput.js b/vendor/assets/javascripts/bootstrap-fileinput.js
index 9467b45..d912909 100644
--- a/vendor/assets/javascripts/bootstrap-fileinput.js
+++ b/vendor/assets/javascripts/bootstrap-fileinput.js
@@ -103,7 +103,9 @@ $.fn.bootstrapFileInput = function() {
fileName = fileName.substring(fileName.lastIndexOf('\\')+1,fileName.length);
}
- $(this).parent().after('<span class="file-input-name">'+fileName+'</span>');
+ var span = jQuery('<span></span>', {"class":"file-input-name"});
+ span.text(fileName);
+ $(this).parent().after(span);
});
});