Bootstrap-select: XSS vulnerability in option title
Reproduced in versions:
bootstrap-select 1.12.2 and latest master
bootstrap 3.3.7
jquery 3.2.1
Tested in Chrome 57
The
An option looking like this will trigger javascript evaluation when clicked:
<option title="<script>alert('xss');</script>">My XSS</option>
NB: You must CLICK the option to reproduce the issue.
Issue reproduced in this js fiddle: https://jsfiddle.net/mrbajggc/
Also reproduced against latest master in https://jsfiddle.net/b2q65nbe/2/ as of commit 1574419165f0cc270a9798808737e992a0a47f9a
AndreasPresthammer
All 3 comments
This is still open, observed something similar during a security assessment.
I believe the issue is in the following line
826: this.$button.attr('title', htmlUnescape($.trim(title.replace(/<[^>]*>?/g, ''))));
827: this.$button.children('.filter-option').html(title);
Line 827 is not escaping the title before adding it as child to the element. This could be fixed if escaping as in line 826
827: this.$button.children('.filter-option').html(htmlUnescape($.trim(title.replace(/<[^>]*>?/g, ''))));
AntGarSil
on 2 Mar 2018
This has been fixed and released in v1.13.0!
caseyjhol
on 20 Apr 2018
@caseyjhol Are You sure this is fixed correctly? The escaped tags are still parsed as non-escaped. <script> tag does not work, but all the others seems to work. Please see:
https://jsfiddle.net/b1dhf8ec/2/
Edit: I've created separate issue for this: #2199
latuszek
on 13 Feb 2019
Related issues
DjSunrise
路
3Comments
anton164
路
4Comments
spyhunter88
路
4Comments
dw00001
路
3Comments
alex-piccione
路
4Comments
Most helpful comment
This has been fixed and released in v1.13.0!